AUTHENTICATED 
U.S. GOVERNMENT 
INFORMATION ^ 


IDENTITY THEFT: VICTIMS BILL OF RIGHTS 


HEARING 

BEFORE THE 

SUBCOMMITTEE ON INFORMATION POLICY, 
CENSUS, AND NATIONAL ARCHIVES 

OF THE 

COMMITTEE ON OVERSIGHT 
AND GOVERNMENT REFORM 

HOUSE OF REPRESENTATIVES 

ONE HUNDRED ELEVENTH CONGRESS 

FIRST SESSION 
JUNE 17, 2009 

Serial No. 111-21 


Printed for the use of the Committee on Oversight and Government Reform 



Available via the World Wide Web: http://www.gpoaccess.gov/congress/index.html 
http://www.oversight.house.gov 


U.S. GOVERNMENT PRINTING OFFICE 
53-643 PDF WASHINGTON : 2009 


For sale by the Superintendent of Documents, U.S. Government Printing Office 
Internet: bookstore.gpo.gov Phone: toll free (866) 512—1800; DC area (202) 512-1800 
Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 


COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM 


EDOLPHUS TOWNS. New York. Chairman 


PAUL E. KANJORSKI, Pennsylvania 
CAROLYN B. MALONEY. New York 
ELIJAH E. CUMMINGS, Maryland 
DENNIS J. KUCINICH, Ohio 
JOHN F. TIERNEY, Massachusetts 
WM. LACY CLAY, Missouri 
DIANE E. WATSON, California 
STEPHEN F. LYNCH, Massachusetts 
JIM COOPER, Tennessee 
GERRY E. CONNOLLY, Virginia 
MIKE QUIGLEY, Illinois 
MARCY KAPTUR, Ohio 
ELEANOR HOLMES NORTON, District of 
Columbia 

PATRICK J. KENNEDY, Rhode Island 

DANNY K. DAVIS, Illinois 

CHRIS VAN HOLLEN, Maryland 

HENRY CUELLAR, Texas 

PAUL W. HODES, New Hampshire 

CHRISTOPHER S. MURPHY, Connecticut 

PETER WELCH, Vermont 

BILL FOSTER, Illinois 

JACKIE SPEIER, California 

STEVE DRIEHAUS, Ohio 


DARRELL E. ISSA, California 

DAN BURTON, Indiana 

JOHN M. McHUGH, New York 

JOHN L. MICA, Florida 

MARK E. SOUDER, Indiana 

JOHN J. DUNCAN, Jr„ Tennessee 

MICHAEL R. TURNER, Ohio 

LYNN A. WESTMORELAND, Georgia 

PATRICK T. MCHENRY, North Carolina 

BRIAN P. BILBRAY, California 

JIM JORDAN, Ohio 

JEFF FLAKE, Arizona 

JEFF FORTENBERRY, Nebraska 

JASON CHAFFETZ, Utah 

AARON SCHOCK, Illinois 


Ron Stroman, Staff Director 
Michael McCarthy, Deputy Staff Director 
Carla Hultberg, Chief Clerk 
Larry Brady, Minority Staff Director 

Subcommittee on Information Policy, Census, and National Archives 
WM. LACY CLAY, Missouri, Chairman 

PAUL E. KANJORSKI, Pennsylvania PATRICK T. McHENRY, North Carolina 

CAROLYN B. MALONEY, New York LYNN A. WESTMORELAND, Georgia 

ELEANOR HOLMES NORTON, District of JOHN L. MICA, Florida 
Columbia JASON CHAFFETZ, Utah 

DANNY K. DAVIS, Illinois 
STEVE DRIEHAUS, Ohio 
DIANE E. WATSON, California 

Darryl Piggee, Staff Director 


(II) 



CONTENTS 


Page 

Hearing held on June 17, 2009 1 

Statement of: 

Allen, Catherine, chairman and CEO, the Santa Fe Group; Marc 
Rotenberg, executive director, Electronic Privacy Information Center; 
Donald Rebovich, executive director, Center for Identity Management 
and Information Protection; Anne Wallace, president, Identity Theft 
Assistance Corp.; and Eric Handy, representative, Identity Theft Re- 
source Center 71 

Allen, Catherine 71 

Handy, Eric 120 

Rebovich, Donald 97 

Rotenberg, Marc 87 

Wallace, Anne 114 

Broder, Betsy, Assistant Director, Federal Trade Commission, Division 
of Privacy and Identity Protection; Jason M. Weinstein, U.S. Depart- 
ment of Justice, Deputy Assistant Attorney General, Criminal Division; 
and Daniel Bertoni, Government Accountability Office, Director, Edu- 
cation, Workforce and Income Security 5 

Bertoni, Daniel 38 

Broder, Betsy 5 

Weinstein, Jason M 26 

Letters, statements, etc., submitted for the record by: 

Allen, Catherine, chairman and CEO, the Santa Fe Group, prepared 

statement of 74 

Bertoni, Daniel, Government Accountability Office, Director, Education, 

Workforce and Income Security, prepared statement of 40 

Broder, Betsy, Assistant Director, Federal Trade Commission, Division 

of Privacy and Identity Protection, prepared statement of 9 

Clay, Hon. Wm. Lacy, a Representative in Congress from the State of 

Missouri, prepared statement of 3 

Handy, Eric, representative, Identity Theft Resource Center, prepared 

statement of 122 

McHenry, Hon. Patrick T., a Representative in Congress from the State 

of North Carolina, prepared statement of 147 

Rebovich, Donald, executive director, Center for Identity Management 

and Information Protection, prepared statement of 99 

Rotenberg, Marc, executive director, Electronic Privacy Information Cen- 
ter, prepared statement of 89 

Wallace, Anne, president, Identity Theft Assistance Corp., prepared state- 
ment of 116 

Watson, Hon. Diane E., a Representative in Congress from the State 

of California, prepared statement of 144 

Weinstein, Jason M., U.S. Department of Justice, Deputy Assistant Attor- 
ney General, Criminal Division, prepared statement of 28 


(III) 




IDENTITY THEFT: VICTIMS BILL OF RIGHTS 


WEDNESDAY, JUNE 17, 2009 

House of Representatives, 

Subcommittee on Information Policy, Census, and 

National Archives, 

Committee on Oversight and Government Reform, 

Washington, DC. 

The subcommittee met, pursuant to notice, at 2:03 p.m., in room 
2154, Rayburn House Office Building, Hon. Wm. Lacy Clay (chair- 
man of the subcommittee) presiding. 

Present: Representatives Clay, Driehaus, Watson, and McHenry. 

Staff present: Darryl Piggee, staff director/counsel; Frank Davis, 
professional staff member; Jean Gosa, clerk; Charisma Williams, 
staff assistant; Adam Hodge, deputy press secretary, full commit- 
tee; Dan Blankenburg, minority director of outreach and senior ad- 
visor; Adam Fromm, minority chief clerk and Member liaison; Ste- 
phen Castor, minority senior counsel; and John Ohly, minority pro- 
fessional staff member. 

Mr. Clay. The Information Policy, Census, and National Ar- 
chives Subcommittee will come to order. Good afternoon, and wel- 
come to today’s hearing entitled, “Identity Theft: A Victims Bill of 
Rights.” Today’s hearing will examine identity theft and its impact 
on victims. 

On our first panel we will hear from government witnesses who 
will testify about how the Federal Government addresses identity 
theft. Our second panel comes from outside the government, and 
they will tell us about their experience with and research on iden- 
tity theft. Both panels with offer recommendations that they be- 
lieve will improve current assistance programs to victims and dis- 
courage identity theft. 

And without objection, the Chair and ranking member will have 
5 minutes to make opening statements followed by opening state- 
ments not to exceed 3 minutes by any other Member who seeks rec- 
ognition. 

Without objection, Members and witnesses may have 5 legisla- 
tive days to submit a written statement or extraneous materials for 
the record. 

The purpose of today’s hearing is to examine actions the Federal 
Government has taken to address the problem of identity theft and 
how to provide protection to victims. We will consider many impor- 
tant topics today, including current and emerging issues on iden- 
tity theft, how to improve both public and private assistance efforts 
to victims of identity theft, and how to increase prosecution and de- 
terrence of identity thieves. 


( 1 ) 



2 


According to recent studies, identity theft affected nearly 10 mil- 
lion Americans in 2008 alone, an increase of 22 percent from 2007. 
It is estimated that the average costs to consumers and businesses 
top $49 billion. Identity theft is now the No. 1 consumer complaint 
received by the Federal Trade Commission, accounting for 26 per- 
cent of all complaints received from consumers in 2008. 

Identity theft is not a victimless crime. There are many victims 
of identity theft, and commonly the same victim is targeted over 
and over again. Victims include 18-month-old children, deceased 
loved ones, banks, insurance companies, small businesses and the 
Federal Government. Women, Hispanic Americans, military per- 
sonnel and Medicare recipients are most likely to be victims of 
identity theft. Secondary and tertiary victims of identity theft in- 
clude families, employers and financial institutions. 

Identity theft itself includes not only financial losses, but also 
nonfinancial identity theft, such as criminal and medical identity 
theft. The identity thief uses the victim’s identity to commit a 
crime or to receive medical services. Many times it is difficult for 
the victim to expunge their criminal and medical records from in- 
correct information, leading to false arrests or wrong diagnoses. 

Experts agree that identity theft prevention and assistance ef- 
forts are lagging far behind the needs of the victims. All identity 
crime victims today run into a vast number of problems when try- 
ing to restore their identity. And identity thieves are quick to over- 
come any obstacles set in place by legislation. Today this sub- 
committee will focus on these concerns voiced by the public in a col- 
laboration to combat and prevent identity theft. 

I thank all of our witnesses who are appearing today and look 
forward to their testimonies. 

[The prepared statement of Hon. Wm. Lacy Clay follows:] 



3 


Statement 

Of 

Wm. Lacy Clay, Chairman 

Information Policy, Census, and National Archives Subcommittee 
Oversight and Government Reform Committee 

“Identity Theft: Victims BUI of Rights” 

Wednesday, June 1 7, 2009 
2154 Rayburn HOB 
2:00 p.m. 

THE PURPOSE OF TODAY’S HEARING IS TO EXAMINE ACTIONS THE 
FEDERAL GOVERNMENT HAS TAKEN TO ADDRESS THE PROBLEM OF 
IDENTITY THEFT, AND HOW TO PROVIDE PROTECTION TO VICTIMS. 

WE WILL CONSIDER MANY IMPORTANT TOPICS TODAY, INCLUDING 
CURRENT AND EMERGING ISSUES OF IDENTITY THEFT, HOW TO 
IMPROVE BOTH PUBLIC AND PRIVATE ASSISTANCE EFFORTS TO 
VICTIMS OF IDENTITY THEFT, AND HOW TO INCREASE PROSECUTION 
AND DETTERENCE OF IDENTITY THIEVES. 

ACCORDING TO RECENT STUDIES, IDENTITY THEFT AFFECTED 
NEARLY TEN MILLION AMERICANS IN 2008 ALONE, AN INCREASE OF 
22% FROM 2007. IT IS ESTIMATED THAT THE AVERAGE COST TO 
CONSUMERS AND BUSINESSES TOPS S49 BILLION DOLLARS. IDENTITY 
THEFT IS NOW THE NUMBER ONE CONSUMER COMPLAINT RECEIVED 
BY THE FEDERAL TRADE COMMISSION, ACCOUNTING FOR 26% OF ALL 
COMPLAINTS RECEIVED FROM CONSUMERS IN 2008. 

IDENTITY THEFT IS NOT A VICTIMLESS CRIME, THERE ARE MANY 
VICTIMS OF IDENTITY THEFT, AND COMMONLY THE SAME VICTIM IS 
TARGETED OVER AND OVER AGAIN. VICTIMS INCLUDE 18 MONTH OLD 


1 



4 


CHILDREN, DECEASED LOVED ONES, BANKS, INSURANCE COMPANIES, 
SMALL BUSINESSES, AND THE FEDERAL GOVERNMENT. WOMEN, 
HISPANIC AMERICANS, MILITARY PERSONNEL, AND MEDICARE 
RECIPIENTS ARE ALL MORE LIKELY TO BE VICTIMS OF IDENTITY 
THEFT. SECONDARY AND TERTIARY (PRONOUCED TER-SHE-A/R-EE) 
VICTIMS OF IDENTITY THEFT INCLUDE FAMILES, EMPLOYERS, AND 
FINANCIAL INSTITUTIONS. 

IDENTITY THEFT ITSELF INCLUDES NOT ONLY FINANCIAL LOSSES, 
BUT ALSO NONFINANCIAL IDENTITY THEFT, SUCH AS CRIMINAL AND 
MEDICAL IDENTITY THEFT. THE IDENTITY THIEF USES THE VICTIM’S 
IDENTITY TO COMMIT A CRIME, OR TO RECEIVE FREE MEDICAL 
SERVICES. MANY TIMES IT IS DIFFICULT FOR THE VICTIM TO 
EXPUNGE THEIR CRIMINAL AND MEDICAL RECORDS FROM 
INCORRECT INFORMATION, LEADING TO FALSE ARRESTS OR WRONG 
DIAGNOSES. 

EXPERTS AGREE THAT IDENTITY THEFT PREVENTION AND 
ASSISTANCE EFFORTS ARE LAGGING FAR BEHIND THE NEEDS OF THE 
VICTIMS. ALL IDENTITY CRIME VICTIMS TODAY RUN INTO A VAST 
NUMBER OF PROBLEMS WHEN TRYING TO RESTORE THEIR IDENTITY, 
AND IDENTITY THIEVES ARE QUICK TO OVERCOME ANY OBSTACLES 
SET IN PLACE BY LEGISLATION. TODAY THIS SUBCOMMITTEE WILL 
FOCUS ON THESE CONCERNS VOICED BY THE PUBLIC, IN A 
COLLABORATION TO COMBAT AND PREVENT IDENTITY THEFT. 

I THANK ALL OF OUR WITNESSES FOR APPEARING TODAY AND 
LOOK FORWARD TO THEIR TESTIMONIES. 


2 



5 


Mr. Clay. And now we will proceed with swearing in the wit- 
nesses. Let me start first by introducing our first panel. 

We will hear first from Ms. Betsy Broder, an Assistant Director 
in the Division of Privacy and Identity Protection for the Federal 
Trade Commission. In this capacity she helps coordinate the agen- 
cy’s law enforcement, research and outreach efforts on privacy 
issues, including identity theft, pretexting and security. 

Next we will hear from Mr. Jason Weinstein, who currently 
serves as a Deputy Assistant Attorney General in the Department 
of Justice’s Criminal Division. Prior to working at the Department 
of Justice, he was an assistant U.S. attorney in the Southern Dis- 
trict of New York, where he prosecuted criminal cases involving 
violent crime, gangs, public corruption and financial crimes. Wel- 
come to you. 

Our last witness on the first panel is Mr. Dan Bertoni, a Director 
with GAO’s Education, Workforce and Income Security Team. Mr. 
Bertoni began his career with GAO in 1989, and over the course 
of his career, he has focused on identifying and preventing fraud, 
waste and abuse in Federal programs, and has also developed a 
body of work related to identity theft. 

And thank you all for appearing before the subcommittee today. 

It is the policy of the Oversight and Government Reform Com- 
mittee to swear in all witnesses before they testify. I would like to 
ask each one to please stand and raise your right hands. 

[Witnesses sworn.] 

Mr. Clay. Let the record reflect that the witnesses answered in 
the affirmative. 

You may be seated. 

Each of you will have 5 minutes to make an opening statement. 
Your complete written testimony will be included in the hearing 
record. The yellow light in front of you will indicate that it is time 
to sum up. The red light will indicate that your time has expired. 
Hopefully we can get through both panels before we are inter- 
rupted for votes. 

And we will start with you, Ms. Broder. You may proceed. 

STATEMENTS OF BETSY BRODER, ASSISTANT DIRECTOR, FED- 
ERAL TRADE COMMISSION, DIVISION OF PRIVACY AND 

IDENTITY PROTECTION; JASON M. WEINSTEIN, U.S. DEPART- 
MENT OF JUSTICE, DEPUTY ASSISTANT ATTORNEY GEN- 
ERAL, CRIMINAL DIVISION; AND DANIEL BERTONI, GOVERN- 
MENT ACCOUNTABILITY OFFICE, DIRECTOR, EDUCATION, 

WORKFORCE AND INCOME SECURITY 

STATEMENT OF BETSY BRODER 

Ms. Broder. Thank you very much, Chairman Clay. I am Assist- 
ant Director, as you said, in the FTC Division of Privacy and Iden- 
tity Protection. 

The written testimony that we submitted reflects the views of 
the Commission, but my oral remarks today are my own and don’t 
necessarily reflect the views of the Commission or any Commis- 
sioner. 

Our written testimony details the approach the Commission has 
taken with respect to identity theft: Our data security, education 



6 


and law enforcement program; our leadership; the President’s Iden- 
tity Theft Task Force; and our measures to improve consumer au- 
thentication. 

Right now, however, I want to focus on three specific areas: First, 
how the FTC helps consumers recover from identity theft; second, 
remedies for identity theft victims; and finally, the FTC’s rec- 
ommendation for ways to improve efforts on this front. 

First the Victim Assistance Program. 

Mr. Clay. Can I ask you to pull the mic closer and make sure 
it’s on? 

Ms. Broder. Almost 2 million consumers 

Mr. Clay. Is your mic on? Press the button. 

There you go. Thank you. 

Ms. Broder. I hoped that tolled the clock. 

Mr. Clay. You don’t have to start over. 

Ms. Broder. And I don’t intend to, sir. 

Almost 2 million consumers have turned to the Federal Trade 
Commission after they discovered that someone else has used their 
name to open up credit accounts, get a job or even obtain health 
care. Among these victims, a soldier returning from Afghanistan, 
a mother calling on behalf of her disabled child whose identity was 
stolen, and people whose government benefits were terminated be- 
cause someone else is working in their name. 

The FTC is the Nation’s one-stop shop for identity theft victims. 
We have a toll-free hotline that connects callers with trained coun- 
selors, who, in English or Spanish, can walk the consumer through 
the steps of recovery. On-line resources at ftc.gov/idtheft provide 
the same types of assistance, explaining how to set fraud alerts 
with the credit reporting agencies, how to dispute fraudulent 
charges or accounts, and how to handle debt collectors. Last year 
alone we helped more than 300,000 consumers who were victims of 
identity theft. In turn, their complaints are entered into our Con- 
sumer Sentinel Network, which is an on-line resource for law en- 
forcers, with direct access to these 2 million complaints and other 
useful investigative resources. 

Other organizations, including ITAC that you will be hearing 
from later, also contribute data to Consumer Sentinel. This robust 
data base is the Nation’s clearinghouse of identity theft complaints, 
and it is an essential tool for all investigative agencies that are in- 
vestigating or prosecuting identity crimes. 

The FTC also has responded to new challenges with more refined 
tools for victims. For example, victims often need police reports in 
order to vindicate their good name. But many law enforcement 
agencies are overtaxed; they don’t have sufficient resources to de- 
velop the kind of detailed police report that’s necessary for recov- 
ery. The FTC identified this issue was a priority, so now when con- 
sumers file complaints with the FTC, law enforcers over 1,700 
agencies who have access to Consumer Sentinel can pull up that 
consumer’s complaint, validate it as an identity theft report, a po- 
lice report. So now the consumer has their police report, the police 
agency is able to greatly simplify this task for all involved. 

We’ve also worked closely with the IRS, which has recently set 
up a dedicated help line for victims of tax-related identity theft. We 
are launching a system to get callers connected to the specialized 



7 


office of the IRS to resolve what are often very complex issues deal- 
ing with tax refunds or outstanding liability resulting from identity 
theft. 

And Commission staff coordinates with other organizations that 
can provide more individualized help when that’s what’s needed. 
For example, the Identity Theft Resource Center, which also is tes- 
tifying today, is the recipient of the Department of Justice grant to 
establish a model nationwide Victim Assistance Program. Our call 
center has implemented a system to direct people to that office. 

The FTC also is collaborating with the American Bar Association 
to establish a program to provide pro bono assistance to victims of 
identity theft. 

Next I would like to briefly discuss some new remedies for iden- 
tity theft victims. The FACT Act, which was passed in 2003, pro- 
vided important tools for victims of identity theft. We are now all 
entitled to a free copy of our credit report every 12 months from 
each of the credit reporting agencies. A credit report can offer an 
early warning sign or that fraud is afoot. The FACT Act allows 
identity theft victims to block fraudulent items in trade lines on 
their credit reports. They can place fraud alerts on their credit re- 
ports and obtain documents relating to the fraud, such as a fraudu- 
lent application. 

This last right is particularly important because many victims 
used to find themselves in a Catch-22 where they would be receiv- 
ing dunning notices for the fraudulently opened accounts, but were 
denied access to the forged application because it was submitted by 
another person. This provision of the FACT Act addresses the frus- 
trating scenario. 

Credit freezes, identity theft passports and other tools also help 
prevent identity thieves from exploiting consumers’ good names. 

Finally, now, I would like to mention the FTC’s legislative rec- 
ommendations that address identity theft. We have come a long 
way in building systems and processes to help identity theft vic- 
tims, but clearly more needs to be done. The FTC is not a criminal 
enforcement agency, so we cannot prosecute the crime. Our part- 
ners at the Department of Justice are working aggressively on that 
front. Strong data security, locking down the data that identity 
thieves target is essential if we are to reduce the overall incidence 
of the crime. That is where we can exert our law enforcement mus- 
cle in areas that have direct impact on identity theft. 

Although the FTC has maintained a vigorous presence, bringing 
cases against companies that failed to use reasonable procedures to 
protect sensitive consumer information, we could have an even 
greater impact if the Commission could assess several penalties for 
such violations. The Commission also has called for nationwide 
data-security standards for entities that are not already subject to 
such laws, as well as the national breach notification law. 

And finally, the Commission has recommended improved con- 
sumer authentication as well as restrictions on the display and 
transmission of Social Security numbers as part of a comprehensive 
approach to reducing the use of Social Security numbers in the 
commission of an identity theft. 

Chairman Clay, members of the committee, victims of identity 
theft often suffer harms that can endure for years. Although there 



8 


are now more effective tools to respond to this crime, victims still 
face challenges in putting their lives back together. The FTC re- 
mains committed to working with victims. 

Thank you very much. 

Mr. Clay. Thank you, Ms. Broder, for your testimony. 

[The prepared statement of Ms. Broder follows:] 



9 


Prepared Statement of 
The Federal Trade Commission 
“Identity Theft: Victims Bill of Rights” 

Before the 

Subcommittee on Information Policy, Census, and National Archives 
Committee on Oversight and Government Reform 
United States House of Representatives 


Washington, D.C. 
June 17, 2009 



10 


Chairman Clay, Ranking Member McHenry, and members of the Subcommittee, 1 am 
Betsy Broder, Assistant Director of the Division of Privacy and Identity Protection at the Federal 
Trade Commission (“FTC” or “Commission”). I appreciate the opportunity to present the 
Commission’s testimony on its activities to protect consumers from identity theft.' Although 
identity theft continues to be a serious concern in our information-based economy, the 
Commission is working to reduce its incidence and impact on consumers. This testimony will 
summarize the Commission’s efforts to fight identity theft through (1) participation on the 
President’s Identity Theft Task Force; (2) law enforcement on data security; (3) consumer and 
business education; and (4) implementation of the identity theft-related provisions of the Fair and 
Accurate Credit Transactions Act (“FACT Act”). 1 2 It will also describe the Commission’s 
legislative recommendations in this area. 

I. The Profile of Identity Theft 

Millions of consumers are victimized by identity theft every year. According to the 
Commission’s most recent identity theft survey, approximately 8.3 million American adults - 
3.7 percent of all American adults - discovered that they were victims of identity theft in 2005. 3 
Beyond its direct costs, identity theft harms our economy by threatening consumers’ confidence 
in the marketplace. 


1 This written statement represents the views of the Federal Trade Commission. My oral 
presentation and responses are my own and do not necessarily reflect the views of the 
Commission or of any Commissioner. 

2 Pub. L. 108-159(2003). 

3 See Federal Trade Commission, Identity Theft Survey Report, Prepared by Synovate 3 
(2006), www.ftc.gov/os/2007/i 1/S vnovateFinalRenortlDThcft2006.pdf. 


1 



11 


Although identity theft often is associated with financial transactions, it can also take 
place in other contexts. For example, thieves can steal identities to gain employment, immigrate 
into this country, and evade law enforcement. Medical identity theft also has received attention 
in recent months. 4 It occurs when a thief uses the name or insurance information of another 
person to obtain medical care. As a result, not only are medical identity theft victims charged for 
services they did not incur, but even more importantly, their medical records may be corrupted, 
thus compromising their care in potentially life-threatening ways. 5 
II. The FTC’s Program to Combat Identity Theft 

Given the potential harms that can result from identity theft, the government and private 
sector must work together to combat it. The FTC has played a lead role in this effort since 1998, 
when Congress enacted the Identity Theft Assumption and Deterrence Act (the “Identity Theft 
Act”). Among other things, the Identity Theft Act required the FTC to collect consumers’ 
identity theft complaints, provide victim assistance, and refer complaints to law enforcement. 6 

Pursuant to the Identity Theft Act, the FTC established an online portal and toll-free 
hotline, through which approximately 20,000 consumers contact the FTC every week for 
information on how to guard against identity theft or obtain assistance in recovery. In 2008, the 


4 In October 2008, the Department of Health and Human Services hosted a Town Hall 
meeting on the subject, and in January 2009, it released a report containing a list of potential 
action items to address it. See Department of Health and Human Services, ONC Commissioned 
Medical Identity Theft Assessment, 

http://healthit.hhs.gov/portal/server.pt?open=512&objID=1177&parentname=CommunityPage& 
parentid=9&mode=2&in_hi_userid= 10741 &cached=true. 


5 See supra note 3 at 21 . 

6 18U.S.C. § 1028 note. 


2 



12 


agency received approximately 3 14,000 reports of actual identity theft. Consumers who report 
their identity theft to the FTC receive step-by-step guidance on how to minimize the harm and 
recover from the crime. In addition, the information they provide about their experiences is 
entered into the agency’s Consumer Sentinel Network, a secure online resource for law 
enforcement. The over 1,700 investigative agencies with access to the Network can use the data 
to create or support ongoing investigations, enhance penalties at sentencing phase, or coordinate 
with other law enforcement agencies. In addition to fulfilling its responsibilities under the 
Identity Theft Act, the Commission has taken a broader role in combating identity theft, as 
described below. 

A. President’s Identity Theft Task Force 

The Commission has played a lead role in the efforts of the President’s Identity Theft 
Task Force (“Task Force”). In May 2006, President Bush established the Task Force, comprised 
of 17 federal agencies and co-chaired by the FTC’s Chairman, with the mission of developing a 
comprehensive national strategy to combat identity theft. 7 In April 2007, the Task Force 
published its national strategy, which recommended 3 1 initiatives to reduce the incidence and 
impact of identity theft. 8 The recommendations focused on identity theft prevention, victim 
assistance, and deterrence. The FTC, along with the other Task Force agencies, have been very 
active in implementing the national strategy. Together, the Task Force agencies issued a report 


7 Exec. Order No. 13,402, 71 Fed. Reg. 27,945 (May 15, 2006). 

8 See The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic 
Plan (2007), http://vvww. idtheft.gov/reports/StratetzicPlan.pdf. 


3 



13 


last September outlining the significant progress made to date. 9 Some highlights follow. 

First, with respect to prevention, the Task Force promoted an enhanced culture of data 
security in the public and private sectors. For the public sector, the Task Force member agencies 
launched a variety of initiatives aimed at making the federal government a better custodian of 
sensitive personal information. For example, the Office of Management and Budget issued data 
security and breach management guidance for government agencies; the Social Security 
Administration removed Social Security numbers (“SSNs”), a key item of information for 
identity thieves, almost entirely from its internal human resources forms; and the Department of 
Defense is working toward removal of SSNs from military identification cards. The recent 
breach of sensitive records maintained by the National Archives highlights the need for 
continued vigilance on data security in the public sector. 

The Task Force is encouraging similar data security efforts in the private sector. These 
efforts, some of which are described in other parts of this testimony, include business education 
and outreach, law enforcement actions against companies that fail to maintain reasonable 
security, and proposed legislation on data security. At the same time, the Commission and other 
agencies are educating consumers on how to avoid becoming victims of identity theft. In one 
important example, the U.S. Postal Service delivered a mailing in early 2008 to 146 million U.S. 
residences and businesses with advice on how consumers can protect themselves against identity 
theft. 

Second, the Task Force launched a number of initiatives to assist identity theft victims 


9 See The President’s Identity Theft Task Force Report (2008), 
http://www2.ftc.gov/os/2008/10/Q8 102 ltaskforcereport.pdf. 


4 


14 


when they begin the sometimes arduous task of repairing their credit and restoring their good 
names. For example, the FTC has developed a training CD and publications on victim assistance 
to help law enforcement offices direct identity theft victims to the resources they need for 
recovery. In addition, Task Force members have trained victim assistance counselors; provided 
grants to organizations that directly help identity theft victims; developed and posted an identity 
Theft Victim Statement of Rights; 10 and worked closely with the American Bar Association on a 
pro bono legal assistance program for identity theft victims. Task Force members also are 
continuing to evaluate the effectiveness of various laws and programs designed to help victims, 
such as state credit freeze laws and rights granted under the FACT Act. 

Third, the Task Force has worked to improve law enforcement’s ability to investigate, 
prosecute, and punish identity thieves. For instance, Task Force member agencies have provided 
identity theft training to over 4,600 law enforcement officers from over 1,500 agencies. Task 
Force members have successfully prosecuted a number of identity theft cases; partnered with 
foreign law enforcement agencies in identity theft investigations; and worked toward greater 
information sharing among and between law enforcement agencies and the private sector. To 
further improve law enforcement, the Task Force recommended measures to enhance the 
gathering of statistical data on identity theft. In response, the FTC has worked with the Bureau of 
Justice Statistics (“BJS”) to add questions about identity theft in BJS’ National Crime 
Victimization Survey, which reaches approximately 40,000 households. The responses will 
enable BJS to estimate the types of identity theft victimization as well as gather data on financial 

10 See Federal Trade Commission, Fighting Back Against Identity Theft, 
http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/rights.html. 


5 



15 


loss, emotional impact, and law enforcement response. The Commission expects that this 
survey, the results of which will be available later this year, will further inform its efforts to 
combat identity theft. 

B. Law Enforcement on Data Security 

One important way to keep sensitive information out of the hands of identity thieves is to 
ensure that those who maintain such information adequately protect it. The Commission plays 
a central role in furthering this goal by bringing law enforcement actions against businesses that 
fail to implement reasonable security measures to protect sensitive consumer data. 

The FTC enforces several laws that contain data security requirements applicable to the 
private sector. The Commission’s Safeguards Rule under the Gramm-Leach-Bliley Act (“GLB 
Act”), for example, contains data security requirements for financial institutions. 1 ' The Fair 
Credit Reporting Act (“FORA”) requires consumer reporting agencies to use reasonable 
procedures to ensure that the entities to which they disclose sensitive consumer information have 
a permissible purpose for receiving that information, 12 and imposes safe disposal obligations on 
entities that maintain consumer report information. 13 In addition, the FTC enforces the Federal 
Trade Commission Act’s proscription against unfair or deceptive acts or practices in cases where 
a business makes false or misleading claims about its data security procedures, or where its 

11 16 C.F.R. Part 314, implementing 15 U.S.C. § 6801(b). The Federal Deposit Insurance 
Corporation, National Credit Union Administration, Securities and Exchange Commission, 

Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, 
Office of Thrift Supervision, and the Secretary of the Treasury have promulgated comparable 
safeguards requirements for the entities they regulate. 

12 15 U.S.C. § 1 68 1 e. 

13 Id. at § 168iw. The FTC’s implementing rule is at 16 C.F.R. Part 682. 


6 



16 


failure to employ reasonable security measures causes or is likely to cause substantial consumer 
injury. 14 

Since 200 1 , the Commission has used its authority under these laws to bring 26 cases 
against businesses that allegedly failed to protect consumers’ personal information. 15 These 
cases, including cases against such well-known companies as Microsoft, Choicepoint, TJX, 
Lexis Nexis, and CVS, have alleged such practices as the failure to (1) comply with posted 
privacy policies; 16 (2) take even the most basic steps to protect against common technology 
threats; 17 (3) dispose of data properly; 18 and (4) take reasonable steps to ensure that they do not 
share customer data with unauthorized third parties. 1 ’ 

Some of these cases involved unfair or deceptive practices under the FTC Act, while 
others were brought under the Commission’s Safeguards Rule or the FCRA. Although the 


14 15 U.S.C.§ 45(a). 

15 See Federal Trade Commission, Privacy Initiatives, Enforcement, 
http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html. 

16 See, e.g., In the Matter of Premier Capital Lending, Inc., FTC Docket No. C-4241 
(Dec. 10, 2008); In the Matter of Life is good, Inc., FTC Docket No. C-4218 (Apr. 16, 2008); In 
the Matter of Petco Animal Supplies. Inc . , FTC Docket No. C-4 1 33 (Mar. 4, 2005); In the Matter 
of MTS Inc., cl/b/a Tower Records/ Books/Video, FTC Docket No.C-41 10 (May 28, 2004); In the 
Matter of Microsoft Corp., FTC Docket No. C-4069 (Dec. 20, 2002);. 

'/See. e.g.. In the Matter of The TJX Cos., FTC Docket No. C-4227 (July 29, 2008); In 
the Matter of Reed Elsevier. Inc., FTC Docket No. C-4226 (July 29, 2008).) 

18 See. e.g.. Federal Trade Commission v. Navone, No. 2:08-CV-001842 (D. Nev. Dec. 
30, 2008); United States v. American United Mortgage, No. L07-CV-07064 (N.D. 111. Dec. 18, 
2007); In the Matter of CVS Caremark Corp., File No. 072 3119 (Feb. 19, 2009) (accepted for 
public comment). 

19 See, e.g.. United States v. Rental Research Svcs., No. 09 CV 524 (D. Minn. Mar. 5, 
2009); United States v. ChoicePoint. Inc., No. 1:06-CV-0I98 (N.D. Ga. Feb. 15, 2006). 


7 



17 


Commission has brought its cases under different laws, all of the cases stand for the principle 
that companies must maintain reasonable and appropriate measures to protect sensitive consumer 
information. What is “reasonable" will depend on the size and complexity of the business, the 
nature and scope of its activities, and the sensitivity of the information at issue. The principle 
recognizes that there cannot be “perfect” security, and that data breaches can occur 
even when a company maintains reasonable precautions to prevent them. At the same time, 
companies that put consumer data at risk can be liable even in the absence of a known breach. 
The Commission believes that its aggressive law enforcement has helped sensitize businesses to 
the importance of data security and motivated them to devote more attention and resources to the 
protection of sensitive data. 

C. Consumer and Business Education 

Both independently and pursuant to the Identity Theft Task Force recommendations, the 
Commission has undertaken substantial efforts to increase consumer and business awareness 
about how to prevent identity theft and how to minimize the damage when a theft does occur. 

For example, the FTC’s identity theft primer and victim recovery guide are widely available in 
print and online in English and Spanish. 20 Since 2000, the Commission has distributed more 
than 9 million copies of the two publications, and recorded over 4.5 million visits to the Web 
versions. 

The Commission recognizes that its consumer education efforts can be even more 
effective if it partners with local businesses, community groups, and members of Congress to 

20 See Federal Trade Commission, Fighting Back Against Identity Theft, 
http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/deter-detect-defend.html 


8 



18 


educate their employees, communities, and constituencies. For example, the Commission has 
launched a nationwide identity theft education program, “Avoid ID Theft: Deter, Detect, 
Defend,’' which contains a consumer education kit that includes direct-to-consumer brochures, 
training materials, presentation slides, and videos for use by such groups. The Commission has 
developed a second consumer education toolkit with everything an organization needs to host a 
“Protect Your Identity Day.” Since the campaign launch in 2006, the FTC has distributed nearly 
100,000 consumer education kits and over 47,000 Protect Your Identity Day kits. 

The Commission also sponsors a multimedia website, OnGuard Online, and a Spanish- 
language counterpart, Alerta En Linea, designed to educate consumers about basic computer 
security, including the importance of not disclosing personal information to possible fraudsters. 
OnGuard Online was developed in partnership with other government agencies and the 
technology sector, and since its launch in 2005, has attracted more than 9.5 million visits. The 
site allows users to download educational games and videos, search for specific topics such as 
phishing or social networking, and obtain useful tips and information in an interactive format. 

The Commission directs its outreach to businesses as well. The FTC widely disseminates 
its business guide on data security, along with an online tutorial based on the guide. 21 These 
resources are designed to provide diverse businesses - especially small businesses - with 
practical, concrete advice as they develop data security programs and plans. In addition, the FTC 
has held regional data security workshops for businesses in locations around the country, 
including Chicago, Los Angeles, Dallas and New York. It also has released nine articles for 


21 See Federal Trade Commission, Protecting Personal Information: A Guide for 
Business, www.ftc.aov, 'infosecuritv. 


9 



19 


businesses relating to basic data security issues for a non-legal audience. The articles have been 
reprinted in both English and Spanish language newsletters for local Chambers of Commerce and 
other business organizations. 

D. Implementation of the FACT Act 

The Commission also has worked to implement the identity theft protections of the FACT 
Act. That Act amended the FCRA by, among other things, adding several provisions designed to 
reduce the incidence of identity theft or minimize the injury to victims. First, it sought to limit 
opportunities for identity thieves to access consumer report information. For example, the FACT 
Act mandated that businesses dispose of consumer report information in a safe manner.” The 
Commission has promulgated the Disposal Rule to implement this requirement for entities within 
its jurisdiction, and has sued entities that failed to comply. 23 

Second, the FACT Act provided consumers new opportunities to review their credit 
records and spot incipient signs of identity theft. Under the FACT Act, consumers have the right 
to receive a free credit report every twelve months from each of the nationwide consumer 
reporting agencies (“CRAs”), as well as from nationwide “specialty” CRAs. 24 The Commission 
has acted aggressively to uphold the integrity of the free report program; for example, it has 
brought two actions against companies offering “free” credit reports tied to the purchase of a 


22 15 U.S.C. § 1681w. 

23 16 C.F.R. Part 682. See Federal Trade Commission v. Navone, No. 2:08-CV-00 1 842 
(D. Nev. Dec. 30, 2008); United States v. American United Mortgage, No. 1 :07-CV-07064 (N.D. 
111. Dec. 18,2007). 

:4 15 U.S.C. § 1681j(a)(l). Specialty CRAs include tenant and employment screening 
services, medical records databases, and check verification services. 


10 



20 


credit monitoring service. 25 To provide further clarity to consumers. Congress recently enacted 
legislation requiring entities that advertise “free” credit reports to disclose that such reports are 
available under federal law at annualcreditreport.com. 26 The FTC is promulgating a rule to 
implement this requirement. 

Third, the FACT Act empowered consumers to take steps to limit the damage from 
identity theft once they become victims. For example, consumers who have a good faith 
suspicion that they have been or are about to become victims of fraud or related crimes such as 
identity theft may place an initial, 90-day fraud alert on their credit files, alerting potential users 
of their reports to exercise special vigilance in opening accounts in the consumers’ names. 
Actual victims may request an extended, seven-year alert if they provide a police report to the 
CRA. 27 In addition, victims may obtain from creditors the underlying documentation associated 


2S FTC v. Consumerinfo.com. Inc., SACV05-801AHS(MLGx) (C.D. Cal. Aug. 15, 2005); 
FTC v. Consumerinfo.com. Inc.. SACV05-801AHS(MLGx) (C.D. Cal. Jan. 8, 2007). In the 
original case in 2005, the Commission charged, among other things, that defendant 
Consumerinfo.com, an affiliate of the nationwide CRA Experian, had deceptively mimicked the 
FACT Act free report program. The stipulated order required the defendant to make prominent 
disclosures that its program is not associated with the free annual report program and provide a 
link to the official web site for that program, vvww.anniialcreditreport.com. The defendants also 
agreed to pay $950,000 in disgorgement, and to provide refunds to dissatisfied past customers. 

In the 2007 case, the Commission alleged that Consumerinfo.com had violated the 2005 order. 
The new order includes a $300,000 judgment for consumer redress. 

26 See Pub. L. 1 11-24; 15 U.S.C. § 1681j(g). 

27 15 U.S.C. § 1 68 1 c-1 . 


11 



21 


with transactions that may have been fraudulent, 28 block fraudulent information on their credit 
files, 29 arid prohibit creditors from reporting fraudulent information to CRAs. 30 

Fourth, the FACT Act required businesses and organizations to detect and respond to “rec 
flags,"’ or signs of identity theft. 31 To implement this requirement, the Commission and other 
federal financial regulators promulgated the Red Flags Rule, which seeks to ensure that financial 
institutions and creditors are on the lookout for signs of identity theft or attempted identity 
theft. 32 The Red Flags Rule and accompanying guidelines require financial institutions and 
creditors that hold certain consumer accounts or other accounts for which there is a reasonable 
risk of identity theft, to develop and implement a written “Identity Theft Program” to help spot 
identity theft. In recent months, the FTC staff has undertaken substantial outreach efforts to 
educate financial institutions and creditors about the Rule. This outreach has included 
developing a compliance guide for businesses, 33 distributing general and industry-specific 
articles, speaking before numerous audiences, responding to individual inquiries by telephone 


28 15 U.S.C. § 1681g 
29 15 U.S.C. § 1 68 1 c-2. 

30 15 U.S.C. § 1861s-2(a)(6). 

31 15 U.S.C. § 1681m(e), 

32 16C.F.R. § 681.1. 

33 See Federal Trade Commission, Fighting Fraud with the Red Flags Rule, 
http://www.ftc.gov/redflagsrule. 


12 



22 


and e-mail, and working with a number of trade associations that are developing model policies 
or specialized guidance for their members. 3 ' 1 

Finally, the FACT Act included provisions to improve consumers" rights to dispute 
inaccuracies in their credit reports. Because businesses and other entities use consumer reports 
to grant credit, employment, insurance, and other benefits, it is critical that the information in the 
reports be as accurate as possible and that consumers have effective ways to dispute any 
inaccuracies. This is even more important for victims of identity theft, so that fraudulent 
information does not corrupt their credit reports. Previously, consumers could dispute 
inaccuracies in their credit reports only with CRAs; the FACT Act granted consumers the right to 
file disputes directly with the furnisher of the disputed information. 35 The FTC and other 
financial regulators have completed drafting regulations to implement this provision. 

In addition to implementing the specific identity theft protections of the FACT Act, the 
Commission is seeking to assess the effectiveness of these provisions by conducting a survey of 
identity theft victims that have filed complaints with the FTC. 36 The survey will provide 
information on victims’ understanding of the remedies available to them under the FACT Act, as 
well as the effectiveness of these remedies. The results will help guide the FTC’s efforts to 


34 Enforcement of the Red Flags Rule will begin after August 1 , 2009. See Press Release, 
Federal Trade Commission, FTC Will Grant Three-Month Delay of Enforcement of “Red Flags’’ 
Rule Requiring Creditors and Financial Institutions to Adopt Identity Theft Prevention Programs 
(Apr. 30, 2009), http://ftc.gov/opa/2009/04/redflaBsrtile.shtm. 

3S 15 U.S.C. § 1 68 1 s-2(a)(8). 

36 The FTC is conducting the survey pursuant to a recommendation of the President’s 
Identity Theft Task Force. 


13 



23 


enforce the law and educate consumers and the consumer reporting industry about their rights 
and duties. 

III. Legislative Recommendations 

The Commission has supported and continues to support additional legislation to 
improve its ability to fight identity theft. For example, the Commission has recommended that 
Congress enact federal legislation to establish data security standards across the private sector 
that would require all organizations that hold sensitive consumer data to take reasonable 
measures to safeguard it, and to notify consumers when the security of their information is 
breached. 37 In addition, the Commission has recommended that Congress provide it with 
authority to seek civil penalties in data security cases. 3 ® In most of the 26 data security cases 


37 See Prepared Statement of the Federal Trade Commission Before the Committee on 
Commerce, Science, and Transportation, United States Senate, 1 09 th Cong. (Jun. 16, 2005), 
available at http://wvvw.ftc.gov/os/2005/06/05Q616databreaches.Ddf. Such legislation should be 
crafted carefully to avoid duplicate regulation of financial institutions and other entities covered 
by already-existing, comparable data security and breach notice obligations. 

Congress is considering legislation that contains these requirements. See, e.g., H.R. 
2221, 111"' Cong. (2009). In addition, the American Recovery and Reinvestment Act, Pub. L. 
No. 111-5 (2009) (the “Recovery Act”), requires entities that collect certain individually 
identifiable health information to notify individuals when the security of such information has 
been breached. The Recovery Act charges the Department of Health and Human Services and 
the FTC with issuing rules to implement these requirements. In response, the FTC issued a 
Notice of Proposed Rulemaking in April 2009, 74 Fed. Reg. 17,914 (Apr. 20, 2009), and is 
considering comments received. The FTC plans to issue a final rule in August 2009. 

38 Id. See also See Prepared Statement of the Federal Trade Commission Before the 
Subcomm. on Interstate Commerce, Trade, and Tourism of the S. Comm, on Commerce, 
Science, and Transportation Committee, 1 10 ,b Cong. (Sept. 12, 2007) available at 
http://www.ftc.gov/os/testimony/070912reauthorizationtestimony.pdf; Prepared Statement of the 
Federal Trade Commission Before the S. Comm, on Commerce, Science, and Transportation, 

1 10 th Cong. (Apr. 10, 2007) available at 

http://www.ftc.gov/os/testimony/P040101FY2008BudgetandOngoingConsumerProtectionandCo 
mpetitionP.rogramsTestimonySenate04102007.pdf. These recommendations also were made in 


14 



24 


described above, the Commission did not have the authority to obtain monetary penalties for 
data security violations, and the Commission believes that such authority would serve as an 
additional incentive for businesses to maintain reasonable data security measures. 

The Commission also has recommended legislation that would help reduce the 
unnecessary use and display of Social Security numbers (“SSN”), which are a particularly 
valuable too! for identity thieves. In its April 2007 strategic plan, the President’s Identity Theft 
Task Force called on agencies to build a comprehensive record on the uses of SSNs in the 
private sector and evaluate their necessity. Accordingly, the Commission issued a report last 
December examining myriad private sector uses of SSNs. 39 In the report, the Commission made 
two new legislative recommendations. First, it recommended that Congress consider 
establishing national consumer authentication standards. This recommendation recognizes that 
the first step to minimizing the role of SSNs in identity theft is to make it more difficult for 
thieves to use them to open new accounts, access existing accounts, or obtain other benefits or 
services. Thus, the report stated that Congress should require private sector entities to establish 
reasonable procedures to authenticate new or existing customers to ensure that they are who they 
say they are.' 10 Second, the report recommended that Congress consider creating national 

the President’s Identity Theft Task Force strategic plan. See The President’s Identity Theft Task 
Force, Combating Identity Theft: A Strategic Plan, Apr. 2007, available at 
http://www.idtheft.gov/reports/StrategicPlan.pdf. 

39 See FTC Report, “Recommendations on Social Security Number Use in the Private 
Sector,” (Dec. 2008), available at http://wwvv2.ftc.itov/opa/2008/12/ssnreDort.shtm. 

' I0 The report recommended that this requirement cover all private sector entities that 
maintain consumer accounts, other than financial institutions already subject to authentication 
requirements promulgated by bank regulatory agencies. 


15 



25 


standards to reduce the public display and transmission of SSNs. Implementing these 
recommendations would make SSNs less available to identity thieves, and would make it more 
difficult for them to misuse those SSNs they are able to obtain. 

IV, Conclusion 

As explained in this testimony, the Commission has used multiple tools in its arsenal to 
fight identity theft, and is committed to continuing its work in this area. We appreciate the 
opportunity to testify, and look forward to working with you on this important issue. 


16 



26 


Mr. Clay. Mr. Weinstein. 

STATEMENT OF JASON M. WEINSTEIN 

Mr. Weinstein. Thank you. Good afternoon, Chairman Clay, 
Ranking Member McHenry. Thank you for your invitation to ad- 
dress the subcommittee this afternoon. 

As you know, identity theft affects millions of Americans every 
year and inflicts significant monetary and other harms upon its 
victims. Identity theft is by no means a new problem, but the 
methods used to commit this crime are evolving. While many crimi- 
nals continue to use a variety of low-tech means to unlawfully ac- 
quire the personal information of others, in recent years, identity 
thieves have begun to use a variety of new technologies and new 
methods to access and exploit such information. As both individ- 
uals and businesses increasingly rely on computers and informa- 
tion technology to store, process and share confidential personal in- 
formation, opportunities have increased for criminals to exploit ad- 
vances in information technology to hack into the computers that 
store this information. 

Cybercrime, once the province of the lone hacker, is now a big 
business, and a growing number of potential victims are vulner- 
able. But as criminals have adapted to take advantage of new op- 
portunities and data made available through networks and the 
Internet, law enforcement has adapted as well. The Department of 
Justice, along with our law enforcement partners, has been aggres- 
sively investigating and prosecuting crimes that facilitate and con- 
stitute identity theft with tremendous success. Our benchmark 
prosecutions of large-scale data breaches and the identity theft that 
results from those breaches highlight the range of our efforts to ad- 
dress this growing problem. 

For example, most recently in late 2008, the FBI announced the 
results of a 2-year undercover operation targeting members of the 
on-line carding forum known as Dark Market. At its peak the Dark 
Market Web site had over 2,500 registered members around the 
world. The operation resulted in nearly 60 arrests worldwide and 
prevented an estimated $70 million in economic loss. 

In August 2008, the Department and U.S. Secret Service an- 
nounced the largest hacking and identity theft case ever prosecuted 
in which charges were brought in three districts against 11 mem- 
bers of an international hacking ring. The defendants, who hailed 
from the United States, Estonia, Ukraine, the People’s Republic of 
the China and Belarus, were charged with, among other things, the 
theft and sale of more than 40 million credit and debit card num- 
bers obtained from various retailers. 

In 2004, in Operation Firewall, the U.S. Secret Service and sev- 
eral components of the Department of Justice coordinated the 
search and arrest of more than 28 members of the Shadow Crew 
criminal organization, who were located in 8 States here in the 
United States and in 6 foreign countries. Members of that group 
were later charged in a 62-count indictment with trafficking and at 
least 1.5 million stolen bank and credit card numbers that resulted 
in losses in excess of $4 million. 

As a result of that case, the Shadow Crew Web site was disabled, 
which we believe prevented hundreds of millions of dollars in addi- 



27 


tional losses. And to date, with the exception of two fugitives, all 
of the domestic Shadow Crew defendants have pleaded guilty and 
received sentences of up to 90 months in prison. And Operation 
Firewall was one of our early efforts that paved the way for some 
of the more recent successes I mentioned and that are outlined in 
my written testimony. 

These cases that I’ve discussed and the others discussed in the 
written testimony illustrate the scope of the Department’s efforts 
to combat the growing identity theft problem, but notably they also 
reveal the global reach that cybercriminals can have. The identity 
thieves and the cybercriminals responsible for many of these and 
other large-scale data breaches live in and operate from foreign ju- 
risdictions. Because of the global nature of the Internet and the 
identity-theft-related crimes it can facilitate, continued close coordi- 
nation and cooperation with foreign law enforcement is critical to 
the success of our identity theft investigations and prosecutions 
here at home. 

In addition to our efforts to investigate and prosecute identity 
theft, we are also committed to continuing to work in coordination 
other agencies to aid the victims of this serious crime through 
grants such as grants at the Identity Theft Resource Center and 
other agencies, training and other victim assistance programs. 

Now, while the Department is proud of these cases and of all of 
our efforts to tackle the growing and evolving identity theft prob- 
lem, we recognize that there is much more to be done, and we will 
continue to work with the law enforcement and private-sector part- 
ners to meet that challenge. Our continued success is dependent on 
our ability to, No. 1, buildupon the United States’ existing relation- 
ships with international partners to strengthen law enforcement 
cooperation channels internationally; and, No. 2, to explore legisla- 
tion that will strengthen the penalties for stealing identity informa- 
tion and other related cybercrimes, and that would require security 
breach reports to Federal law enforcement so that we may pursue 
the criminals responsible for the acts as quickly and vigorously as 
possible. 

This, of course, is just a brief overview of the Department’s role 
in combating these crimes and the primary issues we must focus 
on as we press ahead. We are very glad to have the opportunity 
this afternoon to discuss these issues with you further, and at the 
appropriate time I would be pleased to answer questions. 

Mr. Clay. Thank you so much. 

[The prepared statement of Mr. Weinstein follows:] 



28 



department of justice 


STATEMENT OF 

JASON M. WEINSTEIN 
DEPUTY ASSISTANT ATTORNEY GENERAL 
CRIMINAL DIVISION 

UNITED STATES DEPARTMENT OF JUSTICE 


BEFORE THE 

UNITED STATES HOUSE OF REPRESENTATIVES 
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM 
SUBCOMMITTEE ON INFORMATION POLICY, CENSUS, AND 
NATIONAL ARCHIVES 


HEARING ENTITLED 

"IDENTITY THEFT: A VICTIMS BILL OF RIGHTS" 


PRESENTED 


JUNE 17, 2009 



29 


Good afternoon. Chairman Clay and Ranking Member McHenry. It is a pleasure to 
appear before you to testify about the Department of Justice’s commitment to the critical goal of 
investigating and prosecuting of identity theft crimes. 

As you know, identity theft is not a new problem. But it is one that continues to evolve 
as criminals develop more sophisticated and diverse methods to access and exploit the personal 
information of others. As criminals capitalize on the new opportunities and data made available 
through networks and the Internet, the Department of Justice (the Department) continues to adapt 
so that we can fully address these new developments. Reflecting this trend, there are currently 
over 2,000 active cases related to identity theft pending in the U.S. Attorney’s Offices (USAOs), 
and there has been a 138.2 percent increase in identity theft convictions by USAOs between 
Fiscal Year (FY) 2004 and FY 2008. 

The Department, through its Criminal Division, the Federal Bureau of Investigation 
(FBI), the USAOs, and other components, along with our other law enforcement partners, has 
been aggressively investigating and prosecuting crimes that facilitate or constitute identity theft. 
Today I will highlight some of the Department’s historical successes in the prosecution of 
individuals and organizations involved in the theft and trafficking of personal and financial 
information, as well as some of our ongoing efforts to tackle this growing problem. Given the 
short time we have today, this summary cannot capture all of the important work being done by 
the Department’s prosecutors at Main Justice and in USAOs around the country. I hope, 
however, that it can provide you with a clear picture of some of our efforts to combat identity 
theft, and a better idea of how they have resulted in some of the most important prosecutions 
brought over the past few years. 

Before getting into specific cases, I will discuss how identity theft has evolved in recent 
years and the challenges that this evolution poses to the Department and its law enforcement 
partners. We consistently look for ways to meet these challenges and ensure our continued 
success. But we recognize that as always, we can and must do more. To that end, it is critical to 
our success that we build upon and improve the existing coordination mechanisms we have with 
our international partners and the private sector, and that we explore potential enhancements to 
the identity theft-related laws. We are very glad to have this opportunity to discuss these issues 
in particular with you. 


I. THE COST OF IDENTITY THEFT 

Each year, millions of Americans suffer the costs of identity theft. By one estimate, 
identity theft became the fastest growing crime in 2008, affecting approximately 10 million 
Americans - a 25 percent increase over the 8 million reported victims in 2005. 1 This crime 
“exacts a serious toll on the American public,” with annual monetary losses “in the billions of 


1 Senator Patrick Leahy, Statement On Passage Of The Former Vice President Protection Act of 2008, H.R. 5938 
(September 1 5, 2008) 


1 



30 


dollars,” as recognized in the 2007 Strategic Plan of the President’s Identity Theft Task Force. 2 
It also, however, imposes other significant costs that extend well beyond the direct financial 
losses to individual victims. Take as an example an instance in which corporate insiders are 
compromised or corporate databases are breached to obtain individual personal or financial 
information in a manner that constitutes identity theft. In such a case, not only do the affected 
individuals suffer the monetary losses they incur as a result, but the affected businesses must 
bear the indirect costs of fraud prevention and mitigation of the harm, including potentially 
significant reputational harm. 

Similarly, individual victims may suffer additional indirect costs, including not only 
financial costs related to potential civil litigation by creditors and the obstacles that can arise in 
obtaining or retaining credit, but also the substantial time required to repair the damage that the 
identity thieves caused, such as correcting fraudulent information in credit reports, closing 
existing bank accounts and opening new' ones, and disputing charges with creditors. 
Furthermore, many identity theft victims report that they must endure the uncertainty of whether 
and how an identity thief will cause new problems for them. As one victim put it, in connection 
with the sentencing of an identity thief, 

I am constantly wondering when 1 will be attacked again. I have no way of 
knowing who else [the defendant] has distributed my personal information to ... . 

It would have been better to have been mugged at gunpoint, since at least then I 
would have my peace of mind knowing that it was a one-time event. 3 

Many of the identity theft cases that the Department has prosecuted demonstrate that 
even a single criminal can cause extensive harm to individual victims. In a prosecution by the 
USAO for the Middle District of Tennessee, for example, one defendant victimized over 100 
people, repeatedly using the stolen identities of minor children, the homeless and others to place 
multiple fraudulent loans on the same property without the knowledge or consent of the true 
owners. He was ultimately required to pay $5.9 million in restitution and sentenced to 26 years 
and four months in prison. 


II. THE EVOLUTION OF IDENTITY THEFT 

As I have already alluded to, two related phenomena have been driving the recent 
explosion in identity theft. First, both individuals and businesses heavily rely on computers and 
information technology to store, process, and share confidential personal information. The 
modern provision of financial services and health care - just to name two examples - would be 
largely unthinkable without the electronic storage and processing of information. Similarly, 
individuals engage in a myriad of daily activities that make use of information technology, 
including online banking, shopping, and email. As a result, there is an increasingly vast amount 
of confidential personal information routinely stored and shared on computer systems. 


2 President’s Identity TheftTask Force, Combating Identity Theft: A Strategic Plan at 1 1 (April 2007), 
available at httP.7/www.idlheft.gov/ . 

3 See United States Attorney’s Office, Western District of Washington, Press Release (May 4, 2007), available at 
http://seattle.fbi.gov/doipressrel/2Q07/Dr050407.htm . 


2 



31 


Second, various criminal groups in the United States and abroad recognize how valuable 
personal confidential information is and explore new ways to gain access to large volumes of 
such information to make substantial profits from its fraudulent sale. Criminals often use a wide 
variety of low-tech means of unlawfully acquiring individuals’ personal data, ranging from mail 
theft to compromise of insiders at financial institutions and companies. They also have become 
adept at exploiting advances in information technology to hack into the computers that store this 
information. Cybercrime - once the province of the lone hacker - is now big business. It 
involves large-scale data breaches and the sale of personal confidential information, particularly 
personal financial information, including credit card and bank account numbers. In fact, large- 
scale data breaches present one of the most challenging developments in the identity theft 
problem. Additionally, techniques such as “phishing,” the use of fraudulent email and websites 
to deceive Internet users into disclosing their personal data, and carding, the online trafficking in 
stolen or fraudulently obtained personal data, are also routinely used by criminals involved in 
identity theft. 

The Internet provides a unique venue through which “carders” can obtain sellable 
information, advertise and sell stolen data to the highest bidder, and self-organize to facilitate 
their activities. For example, carders often become members of website forums designed to 
provide an active marketplace for the sale of, among other contraband, stolen credit and debit 
card numbers; compromised personally-identifiable information, including an individual’s 
address, phone number, social security number, personal identification numbers (PINs), credit 
history report, and mother’s maiden name; and false identification documents. And once stolen 
identity information is sold, the purchasers frequently engage in a wide array of fraudulent 
activity. For example, in recent years, criminal carding organizations engaged in what is known 
as “PIN cashing” have developed sophisticated networks in which stolen financial information is 
immediately disseminated to designated groups of criminals who withdraw money from ATMs 
all over the world within a short time period. In one example, PIN cashers made 9,000 
withdrawals worldwide totaling $10 million in less than 48 hours from four compromised 
prepaid debit card accounts. 

Hackers steal information from public and private institutions - everything from large 
corporate databases to residential wireless networks - using sophisticated tools to penetrate 
firewalls and automated processes to search for account data or other personal information, 
export the data, and hide their tracks. Hackers also employ malicious software - such as 
spyware and keystroke loggers - to collect information from infected computers and send that 
information back to an identity thief so that it can be sold. Indeed, the marriage of large-scale 
data-breaches and organized cyber crime represents the latest and most challenging evolution of 
identity theft. The use of sophisticated, high-tech measures by organized criminal networks 
represents a significant challenge to the investigation and prosecution of these crimes. 


III. THE DEPARTMENT’S RESPONSE TO THE THREAT OF IDENTITY THEFT 

Targeting identity theft is an important priority for the Department. In recent years, the 
Department has aggressively prosecuted a wide variety of identity theft schemes throughout the 
country, including those involving data breaches and carding. Within the Criminal Division, the 


3 



32 


Computer Crime and Intellectual Property Section (CCIPS) investigates and prosecutes these 
large-scale data breaches and coordinates prosecutions that involve multiple USAOs and foreign 
countries, the Fraud Section investigates and prosecutes significant fraud cases that involve 
identity theft, such as healthcare fraud, financial institution fraud, and securities fraud, and the 
Organized Crime and Racketeering Section partners with these Sections and USAOs to lend its 
expertise in dismantling the criminal organization. Throughout the country, our USAOs actively 
investigate and prosecute cases involving data breaches and identity theft. 

On the international front, the Office of International Affairs in the Criminal Division 
supports international cooperation efforts by implementing mutual legal assistance treaties 
(MLATs) and international conventions that have yielded significant evidence for use in US and 
foreign prosecutions and by marshaling efforts to extradite international fugitives. 

Finally, to facilitate information-sharing and coordination among USAOs and federal 
agencies in identity-theft matters, the Department also chairs several interagency working 
groups, such as the Identity Theft Enforcement Interagency Working Group and the recently- 
established Payments Fraud Working Group, which it co-chairs with the Board of Governors of 
the Federal Reserve System. The Department also helped to lead the Identity Theft Task Force, 
which also addressed many of these issues. 

The combined force of all of these efforts, along with the efforts of the FBI and the 
Department’s other law enforcement partners, has resulted in a number of benchmark 
prosecutions that highlight the range of the Department’s efforts to address the growing problem 
of identity theft, and in particular, that facilitated by large-scale data breaches. 

A. “OPERATION FIREWALL” 

Much of the Department’s successful investigative work targeting carding has its roots in 
the Department’s earliest efforts to dismantle highly -organized carding enterprises. As just one 
example, in 2004, as part of an undercover investigation known as Operation Firewall, the 
Department and the U.S. Secret Service (USSS) coordinated the search and arrest of more than 
28 members of the “Shadowcrew” criminal organization, located in eight states in the United 
States and six foreign countries. This operation required significant international cooperation 
among the law enforcement agencies of the United Kingdom, Canada, Bulgaria, Belarus, Poland, 
Sweden, the Netherlands, and Ukraine. Members of the group were later charged in a 62-count 
indictment with trafficking in at least 1 .5 million stolen credit and bank card numbers that 
resulted in losses in excess of $4 million. As part of this takedown, the USSS disabled the 
Shadowcrew website. We believe that had the organization not been interrupted, there might 
have been hundreds of millions of dollars in additional losses. Instead, the Shadowcrew criminal 
organization’s activity stopped, and to date, with the exception of two fugitives, all of the 
domestic Shadowcrew defendants have pleaded guilty and received sentences of up to 90 months 
in prison. 


4 



33 


B. RECENT SUCCESSES 

Building upon these early efforts, in recent years, the Department has had increasing 
success combating identity theft through the investigation and prosecution of carders and large- 
scale data breaches, including: 

• Dark Market carding forum. In late 2008, the FBI announced the results of a two- 
year undercover operation, conducted in conjunction with CCIPS, targeting members 
of the online carding forum known as Dark Market. At its peak, the Dark Market 
website had over 2,500 registered members around the world. This operation resulted 
in 56 arrests worldwide and prevented an estimated $70 million in economic loss. 

• International hacking ring. In August 2008, the Department and USSS announced 
the largest hacking and identity theft case ever prosecuted, in which charges were 
brought in three districts against 1 1 members of an international hacking ring, 
including Maksym Yastremskiy, known online as “Maksik” and believed to be one of 
the top traffickers in stolen account information, with alleged sales of hundreds of 
thousands of credit and debit card numbers. The various defendants - who were from 
the United States, Estonia, Ukraine, the People’s Republic of China, and Belarus - 
were charged with, among other things, the theft and sale of more than 40 million 
credit and debit card numbers obtained from various retailers including TJX 
Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, 

Sports Authority, Forever 21 , Dave & Buster’s, and DSW. 

• Operation CardKeeper - Operation CardKeeper, led by the FBI and the USAO for 
the Eastern District of Virginia, resulted in the arrests of thirteen individuals in 
Poland and eight in the United States after significant international cooperation. 
Operation CardKeeper also resulted in the U.S. conviction of an individual known 
online as “John Dillinger,’’ who was sentenced in 2007 to 94 months in federal prison 
for his carding activity, including aggravated identity theft, among other things. 
Computers seized from him revealed more than 4,300 compromised account numbers 
and full identity information for over 1 ,600 individual victims. 

• “Iceman.” In late 2007, a major supplier of tens of thousands of credit card accounts 
to carding forums was indicted for wire fraud and identity fraud. Max Ray Butler, 
known online as “Iceman,” was the co-founder and administrator of the carding 
forum Cardersmarket. He is currently awaiting trial. 

C. INTERNATIONAL LAW ENFORCEMENT COOPERATION 

As these cases illustrate, identity thieves and cybercriminals responsible for many of 
these large scale data-breaches live in and operate from foreign jurisdictions. In certain cases, 
hackers both in the United States and abroad route communications through computers located in 
so-called “hacker havens.” In other cases, the hackers themselves operate in foreign countries 
that law enforcement consider to be “hacker havens.” They do this to exploit the many hurdles 
faced by law enforcement in investigating transnational crimes. The Department continues to 


5 



34 


cooperate with foreign law enforcement in prosecuting individuals in the United States. 

Although the Department’s principal law enforcement mission is prosecuting individuals in the 
United States, the Department also recognizes that an important tool in combating identity theft 
and cybercrime involves assisting foreign law enforcement in bringing successful prosecutions in 
their own countries. A number of recent investigations begun in the U.S. have resulted in 
successful prosecutions in foreign countries long considered to be so-called “hacker havens.” For 
example, based on dose cooperation between the Department, the FBI, and the Romanian 
National Police Cybercrime Divisions, prosecutors from that country’s Directorate for 
Investigating Organized Crime and Terrorism arrested eleven Romanian citizens on fraud and 
identity theft charges in November 2007. They were part of a criminal organization that 
specialized in “phishing” information from computer users, imprinting credit and debit card 
information onto counterfeit cards, and then using those cards to obtain cash from ATMs and 
Western Union locations. Romanian police officers executed 21 search warrants and seized 
computers, card reading and writing devices, blank cards, and other equipment More recently, 
between February 2008 and March 2009, over 40 defendants were charged in Romania - along 
with 12 in the United States - for their participation in a sophisticated hacking scheme involving 
the theft of corporate bank account information, and the use of that stolen information in a 
variety of fraudulent transactions. 

Because of the global nature of the Internet and the identity theft-related crimes it can 
facilitate, close coordination and cooperation with foreign law enforcement is vital to the success 
of identity theft investigations and prosecutions. To that end, the Department serves as the 
United States point of contact in the G-8 24/7 High Tech Crime Points of Contact network, 
which consists of more than 50 countries available around the clock to assist other members with 
high tech issues in criminal cases. The Identity Theft Task Force’s Strategic Plan recommended 
that the Department and other departments and agencies take additional steps to improve 
coordination and evidence sharing with foreign law enforcement agencies. International 
cooperation in the arrest and prosecution of cybercrime and identity theft is also a central part of 
the Department’s new strategy to combat international organized crime (IOC), announced in 
2008. The Department’s strategy recognizes the threat that international organized cyber crime 
poses to the security and stability of the U.S. economy, particularly to the security of personal 
financial information and the stability of business, financial and government infrastructures. As 
set forth in the document announcing the IOC Strategy, “[t]o effectively carry-out cross cutting 
operations to disrupt and dismantle IOC groups, U.S. law enforcement must capitalize on 
established relationships with vetted foreign officials and build international partnerships to 
collaborate in the domestic and foreign prosecution of IOC cases.” 4 

We believe that on this front, the United States should continue to press other nations to 
accede to the Convention on Cybercrime (2001), which will improve cooperation between law 
enforcement agencies. The Convention, which the U.S. ratified in 2006, assures that other 
countries enact suitable domestic legislation criminalizing identity theft, in part to facilitate 
information-sharing under mutual legal assistance treaties and the extradition of criminal 
defendants. 


4 U.S. Department of Justice, Overview of the Law Enforcement Strategy to Combat International Organized Crime 
(April 2008), available at http://www.usdoi.gov/ag/sDeeches/2008/ioc-strategy-public-overview.pdf . 


6 



35 


In addition, the United States should continue to work closely with multilateral 
organizations to urge other countries to review their criminal codes and criminalize identity- 
related criminal activities where appropriate. The Department has had substantial success in 
carrying out this recommendation. The Department also has been an active participant since 
2008 in the United Nations Office on Drugs and Crime’s Core Group of Experts on Identity- 
Related Crime, which has encouraged efforts to have countries examine their domestic criminal 
codes and identify areas in which those codes can be revised to address all aspects of identity 
theft appropriately. Most recently, at the April 2009 meeting of the United Nations Crime 
Commission, the Department played a substantial role in the drafting and approval of a 
resolution (for adoption by the United Nations Economic and Social Council later this year) that 
encourages United Nations Member States to combat fraud and identity theft by ensuring 
adequate investigative powers and, where appropriate, by reviewing and updating the relevant 
laws. 5 The Identity Theft Task Force’s Strategic Plan also directs the U.S. government to 
identify countries that are safe havens for identity thieves and to use appropriate diplomatic and 
enforcement mechanisms to encourage those countries to change their practices. The 
Department has begun this process, gathering information from a range of law enforcement 
authorities. The G-8 Roma/Lyon group has also worked to improve international response to 
identity theft and cybersecurity. In May 2009, the Justice and Interior Ministers of the G-8 met 
to discuss these issues, among others. The Ministers committed to strengthen international 
cooperation to combat this type of crime, including continued and improved cooperation with the 
private sector, increased training, and practical information exchanges on effective law 
enforcement practices in the field. Additionally, in February 2009, the G-8 Roma/Lyon Group 
approved for further dissemination a paper that examines the criminal misuse of identification 
information and identification documents within the G-8 States and proposes “essential 
elements” of criminal legislation to address identity-related crime. The Department played a 
substantial role in drafting this paper and in urging its approval by the Roma/Lyon Group. 

Finally, law enforcement cooperation can be hampered by our inability, in certain cases, 
to assist foreign law enforcement agencies. Only by providing assistance to other countries can 
we expect them to provide critical evidence for our own investigations. Appendix D of the 
Strategic Plan contained a legislative proposal that would clarify our courts’ authority to compel 
disclosure of evidence to assist foreign law enforcement investigations. 

D. ASSISTANCE TO IDENTITY THEFT VICTIMS 

Beyond addressing the threat through prosecution, the Department also works in 
coordination with other agencies to aid the victims of identity theft. DOJ’s Office for Victims of 
Crime has provided substantial grants to organizations at the national, regional, state, and city 
level for programs that provide direct assistance to identity theft victims. The grant recipients are 
the Identity Theft Resource Center, one of the panel members who will be testifying before this 
subcommittee, the Victims’ Initiative for Counseling, Advocacy, and Restoration of the 
Southwest, the Maryland Crime Victims’ Resource Center, Inc., and Atlanta Victim Assistance. 
Each of these grantees have developed resources, projects, and protocols that can serve as 
models for other victim assistance programs. 


5 See United Nations Economic and Social Council, Document No. E/CN.15/2009/L.2/Rev.l (April 23, 2009), 
mailable at http://daccessdds.un.org/doc/UNDOC/LTDAt09/829/09/PDF/V0982909.pdftOpenEIement. 


7 



36 


A variety of state and federal programs, as well as non-profit organizations, provide 
direct assistance to identity theft victims. The Task Force recommended that member agencies 
develop nationwide victim assistance training for counselors at these programs. Accordingly, 
DOJ’s Office for Victims of Crime (OVC) conducted a national training session, developed in 
cooperation with the FTC, for victim-witness coordinators in 2007. To increase identity theft 
victim assistance services, OVC has encouraged Victims of Crime Act (VOCA) victim 
assistance administrators to expand their program outreach to identity theft victims. OVC also 
has highlighted identity theft and fraud issues at the VOCA Administrators’ Annual Conferences 
by supporting victim impact workshops to help recognize the needs of identity theft victims and 
expand program services using VOCA victim assistance dollars. Through these efforts, the 
Department has helped alleviate some of the difficulties faced by identity theft victims and has 
assisted them in recovering from the damage caused by identity theft. 


IV. STRENGTHENING IDENTITY THEFT LAWS 

A. SENTENCING ENHANCEMENTS 

In addition to legislation that would improve our ability to cooperate with our 
international law enforcement partners, the Department believes that there are ways to improve 
the identity theft laws. Congress should strengthen the penalties for stealing identity information 
and other related cybercrimes. This could be accomplished both by amending the sentencing 
provisions of the Computer Fraud and Abuse Act (18 U.S.C. § 1030) and by altering the way in 
which the U.S. Sentencing Guidelines treat these offenses. At the direction of Congress, the 
Sentencing Commission recently completed a review of this issue, but their proposed 
amendments to the Guidelines are minor and do not adequately take into account the scope of the 
problem or Congress’ directive to the Commission. We would be happy to work with Congress 
to develop a more appropriate sentencing scheme that will deter identity thieves and provide for 
just punishment of offenders. 

B. BREACH REPORTING 

Immediate reporting of incidents to law enforcement is also vital to law enforcement’s 
ability to investigate large-scale data breaches. Immediate reporting necessarily relies upon each 
potential victim company’s capacity to promptly detect an incident, but we know from 
experience that prompt detection will not itself result in a report from the victim company. For a 
variety of reasons, data breaches are significantly underreported, and as a result, law enforcement 
efforts to bring criminals to justice are significantly hampered. If law enforcement never learns 
of the incident, we will not be able to investigate it; if we hear about it too late, we may be 
unable to preserve critical evidence or identify the perpetrators. On the other hand, several 
recent successes in tracking down the perpetrators of high-profile data breaches are the direct 
result of immediate information from victim companies on how the hackers entered and exited 
their systems, including the specific IP addresses used in the attack. For example, in the Dave & 
Buster’s case, which was a part of the international hacking ring prosecuted in 2008, when Dave 
& Buster’s became aware of intrusions, they took measures to log access to their computers. 


8 



37 


block the intruder’s further attempts to collect credit and debit card data, and identify for law 
enforcement the intruder's IP address. While companies like VISA require by policy that all 
entities that suspect or have confirmed that a security breach occurred must contact federal law 
enforcement, few laws require the victim company to notify law enforcement. In its April 2007 
Strategic Plan, the Identity Theft Task Force recommended the establishment of a national 
standard requiring entities that maintain sensitive data to provide timely notice to law 
enforcement in the event of a breach. Because only a handful of state laws currently require 
reporting to law enforcement and because private sector rules are neither universal nor 
consistently enforced across the various companies, we urge Congress to consider requiring 
security breach reports to federal law enforcement using a mechanism that ensures that the USSS 
and FBI have access to the reports. Any legislation should contain provisions to ensure that 
breaches are reported to law enforcement prior to notifying individual victims, and to permit law 
enforcement to seek delayed notification, so that law enforcement has sufficient time to preserve 
evidence and investigative leads. 

This concludes my remarks. I would be pleased to answer questions from you and other 
members of the Subcommittee. 


9 



38 


Mr. Clay. Mr. Bertoni, you are recognized for 5 minutes. 

STATEMENT OF DANIEL BERTONI 

Mr. Bertoni. Mr. Chairman, members of the subcommittee, good 
afternoon. I am pleased to be here to discuss the role that person- 
ally identifiable information plays in identity theft. Such informa- 
tion, including one’s name, date of birth and SSN, is key to carry- 
ing out so many activities of daily life; however, this information 
is also valuable to persons seeking to commit fraud or identity 
theft. Advances in information technology have made it easier to 
collect and share sensitive information, but also result in more inci- 
dents of loss in unauthorized use. 

My remarks today focus on three areas: Why we should be con- 
cerned about identity theft; actions taken at the Federal, State and 
local levels; and continuing challenges to protecting sensitive infor- 
mation. 

In summary, identity theft affects 10 million persons annually, 
translating into reported losses of $50 billion. Victims are often un- 
aware that the crime has taken place until much harm has been 
done to their credit rating, and could face substantial costs and in- 
convenience repairing the damage. Others have lost jobs, been re- 
fused loans or even arrested for crimes they didn’t commit. 

During the course of our work, we have documented real-life ex- 
amples of identity theft, both domestic and international, including 
the 2006 case of an Ohio woman who led a group of identity thieves 
in stealing information from public recordkeeper Web sites, result- 
ing in $450 million in losses. In the 2007 case of an individual who 
partnered with thieves from Russia and Romania in an on-line 
phishing scam. In compromise there were 4,000 credit card ac- 
counts and obtained full identity information for over 1,600 victims. 

Various laws and actions at the Federal, State and local level 
aim to deter identity theft. At the Federal level the Privacy Act of 
1974 and E-Government Act of 2002 define agencies’ responsibility 
for protecting personal information. Moreover, the Federal Informa- 
tion Security Management Act of 2002 requires agencies to develop 
programs for securing sensitive data in information systems. 

Over the last several years, the Office of Management and Budg- 
et has also issued numerous directives requiring agencies to put in 
additional steps for safeguarding personal information, including 
establishing senior privacy officers and developing data breach no- 
tification plans. 

States and localities have also acted to prevent identity theft and 
assist victims. More States now recognize identity theft and related 
activities as a crime, while many others have incorporated victim 
assistance provisions into their laws, such as credit or security 
freezes. And some county governments have also begun removing 
or truncating SSNs displayed in their public records. 

Despite these actions, vulnerabilities persist in three areas. First, 
issues related to the display and uses of the SSN have not been 
sufficiently addressed. Because of its unique nature and broad ap- 
plicability, the SSN has become the identifier of choice for both the 
public and private sectors. Unfortunately — unfortunately, millions 
of electronic public records contain SSNs that can be easily com- 
promised due to the absence of a national standard for SSN trunca- 



39 


tion. That is the practice of blocking the first five or last four digits 
of the number. To illustrate, within a matter of minutes, we easily 
reconstructed full 9-digit SSNs and other identity information for 
individuals in 10 States by combining various electronic records 
that use disparate truncation methods. We have recommended that 
the Congress establish a national truncation standard. 

Second, Federal law does not cover all data or services provided 
by information resellers in other industries. Today data resellers 
and their contractors electronically amass and share large amounts 
of personal information; however, no Federal law explicitly requires 
them to safeguard all personal data even when it is sensitive and 
subject to misuse by identity thieves. We have recommended the 
Congress strengthen requirements for information resellers in 
other industries similar to those imposed on financial institutions. 

Last, Federal agencies continue to experience security incidences 
that may expose sensitive information to identity thieves. Federal 
agencies rely heavily on automated systems and electronic data 
which must be protected against unauthorized use. We have made 
numerous recommendations to broadly strengthen the integrity of 
Federal information systems and ultimately reduce breaches and 
other security incidents; however, continued breaches at various 
Federal agencies and facilities such as the National Archives un- 
derscore the importance of vigilance in this area. 

We have noted that data-breach notifications to affected parties 
can have clear benefits in terms of mitigating the impacts of iden- 
tity theft in enhancing public accountability, and have rec- 
ommended that OMB develop guidance to help agencies make risk- 
based decisions as to what services to offer individuals whose per- 
sonal information has been compromised, and we will continue to 
monitor progress in this area. 

Mr. Chairman, this concludes my statement. I’m happy to an- 
swer any questions that you or the other members of the sub- 
committee may have. Thank you. 

Mr. Clay. Thank you so much, Mr. Bertoni. 

[The prepared statement of Mr. Bertoni follows:] 



40 


United States Government Accountability Office 


GAO 

Testimony 

Before the Subcommittee on Information 
Policy, Census and National Archives, 
Committee on Oversight and Government 
Reform, House of Representatives 

For Release on Delivery 

Expected at 2:00 p.m. EDT 
Wednesday, June 17, 2009 

IDENTITY THEFT 

Governments Have Acted to 
Protect Personally 
Identifiable Information, but 
Vulnerabilities Remain 


Statement of Daniel Bertoni, Director 

Education, Workforce, and Income Security Issues 


je. GAO 

Accountability * Integrity * Reliability 


GAO-09-759T 




41 



June 17, 2009 


IDENTITY THEFT 

Governments Have Acted to Protect Personally 
Identifiable Information, but Vulnerabilities Remain 


What GAO Found 

Identity theft is a serious problem because, among other things, it can take 
a long period of time before a victim becomes aware that the crime has 
taken place and thus can cause substantial harm to the victim’s credit 
rating. Moreover, while some identity theft victims can resolve their 
problems quickly, others face substantial costs and inconvenience 
repairing damage to their credit records. Some individuals have lost job 
opportunities, been refused loans, or even been arrested for crimes they 
did not commit as a result of identity theft. Millions of people become 
victims of identity theft each year. The Federal Trade Commission (FTC) 
estimates that in 1 year, as many as 10 million people — or 4.6 percent of 
the U.S. adult population — discover that they are victims of some form of 
identity theft, translating into reported losses exceeding $50 billion. 

Several steps have been taken, both in terms of legislation and 
administrative actions to combat identity theft at the federal, state and 
local levels, although efforts to assist victims of the crime once it has 
occurred remain somewhat piecemeal. While there is no one law that 
regulates the overall use of personally identifiable information by all levels 
and branches of government, numerous federal laws place restrictions on 
public and private sector entities’ use and disclosure of individuals’ 
personal information in specific instances, including the use and 
disclosure of Social Security Numbers (SSN) — a key piece of information 
that is highly valuable to identity thieves. One intention of some of these 
laws is to prevent the misuse of personal information for purposes such as 
identity theft. 

Despite efforts to prevent identity theft, vulnerabilities remain and can be 
grouped into several areas, including display and use of Social Security 
numbers, availability of personal information through information 
resellers, security weaknesses in federal agency information systems, and 
data security breaches. GAO’s work indicates that persistent weaknesses 
appear in five major categories of information system controls, including 
access controls which ensure that only authorized agency personnel can 
read, alter, or delete data As a result, federal systems and sensitive 
information are at increased risk of unauthorized access and disclosure, 
modification, or destruction, as well as inadvertent or deliberate 
disruption of system operations and services. GAO has reported that 
federal agencies continue to experience numerous security incidents that 
could leave sensitive personally identifiable information in federal records 
vulnerable to identity theft. 


.United States Government Accountability Office 


42 


Mr. Chairman and Members of the Subcommittee: 

I am pleased to be here today to discuss the role that personally 
identifiable information plays in identity theft, efforts taken by 
governments to prevent identity theft, and vulnerabilities that remain to 
protecting individuals’ identities. Personally identifiable information 
includes information that can be used to locate or identify an individual, 
including names, date of birth, Social Security number (SSN), biometric 
records, or other information that can be linked to an individual. Identity 
theft occurs when individuals’ personal identifying information is used 
without authorization in an attempt to commit fraud or other crimes. 
Identity thieves use personally identifiable information to open new 
financial accounts and incur charges (such as opening credit accounts in 
that individual’s name), to take over an individual’s existing accounts to 
make unauthorized charges or withdraw money, or to assume another 
person’s identity. Accordingly, my remarks today will address (1) the 
problem of identity theft; (2) steps taken at the federal, state, and local 
level, to prevent potential identity theft and assist victims of this crime; 
and (3) vulnerabilities that remain to protecting personally identifiable 
information, particularly in federal information systems. 

In summary, identity theft is a serious crime that affects millions of 
individuals each year with costs, according to a Federal Trade 
Commission estimate, that exceeded $50 billion in a single year. Victims of 
identity theft may not realize the crime has been committed for months or 
years, with potential serious consequences financially, civilly, and even 
criminally. Once victimized, individuals may have to deal with a complex 
array of public and private organizations to correct the damage, often at 
great expense to themselves both in terms of time and money. Steps have 
been taken in both the public and private sectors in an attempt to prevent 
or detect identity theft, and where possible, assist victims. These include 
federal and state laws, law enforcement activities, and guidance and other 
assistance provided to consumers. Despite these steps, vulnerabilities 
remain. In particular, recent security breaches of both federal and private 
data sources have highlighted the challenges that remain to preventing 
identity theft. We and agency inspectors general have made numerous 
recommendations in recent years to federal agencies to resolve significant 
control deficiencies and information security program shortfalls. In 
particular, we have noted that agencies also need to implement controls 
that reduce the chance of incidents involving data loss or theft, computer 
intrusions, and privacy breaches. 


Page 1 


GAO-09-759T Identity Theft 



43 


For this testimony, we primarily relied on information from our prior 
reports and testimonies that address public and private sector use of 
personally identifiable information, as well as federal, state and local 
efforts to protect the security of such information. These products were 
issued from 2002 to 2009 and are listed in the related GAO products 
section at the end of this statement. The work on which this testimony is 
based was performed in accordance with generally accepted government 
auditing standards. Those standards require that we plan and perform the 
audit to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. We 
believe that the evidence obtained provides a reasonable basis for our 
findings and conclusions based on our audit objectives. 


Background 


The growth in information technology, networking, and electronic storage 
has made it ever easier to collect and maintain information about 
individuals. An accompanying growth in incidents of loss and 
unauthorized use of such information has led to increased concerns about 
protecting this information on federal systems as well as from private- 
sector sources, such as data resellers that specialize in amassing personal 
information from multiple sources. As a result, additional laws protecting 
personally identifiable information collected and maintained by both 
government and private-sector entities have been enacted since the 
Privacy Act of 1974, including measures that are particularly concerned 
with the protection of personal data maintained in automated information 
systems. 

Protecting personally identifiable information in federal systems, such as 
names, date of birth and SSNs, is critical because its loss or unauthorized 
disclosure can lead to serious consequences for individuals. These 
consequences include identity theft or other fraudulent activity, which can 
result in substantial harm, embarrassment, and inconvenience. 


Identity Theft Is a 
Serious Problem 


Identity theft is a serious problem because, among other things, it may 
take a long period of time before a victim becomes aware that the crime 
has taken place, and thus can cause substantial harm to the victim’s credit 
rating. Moreover, while some identity theft victims can resolve their 
problems quickly, others face substantial costs and inconvenience 
repairing damage to their credit records. Some individuals have lost job 
opportunities, been refused loans, or even been arrested for crimes they 
did not commit as a result of identity theft. 


Page 2 


GAO-09-759T Identity Theft 



44 


Millions of people become victims of identity theft each year. The Federal 
Trade Commission (FTC) estimates that in 1 year, as many as 10 million 
people — or 4.6 percent of the U.S. adult population— discover that they are 
victims of some form of identity theft, translating into reported losses 
exceeding $50 billion. In 2007, the FTC estimated that the median value of 
goods and services obtained by identity thieves was $500, with 10 percent 
of victims reporting the thief obtained $6,000 or more. Similarly, a more 
recent 2008 industry survey estimated that, 9.9 million adults in the United 
States were victims of identity fraud. ! While available data suggest that 
identity theft remains a persistent and serious problem, the FTC found that 
most victims of identity theft do not report the crime. Therefore, the total 
of number of identity thefts is unknown. 

Several examples we previously identified illustrate the magnitude of the 
losses that could occur from a single incident and how aggregated 
personal information can be vulnerable to misuse: 

• A help desk employee at a New York-based software company, which 
provided software to its clients to access consumer credit reports, stole 
the identities of up to 30,000 individuals by using confidential passwords 
and subscriber codes of the company’s customers. The former employee 
reportedly sold these identities for $60 each. Furthermore, given the 
explosion of Internet use and the ease with which personally identifiable 
information is accessible, individuals looking to steal someone’s identity 
are increasingly able to do so. In our work, we identified a case where an 
individual obtained the names and SSNs of high-ranking U.S. military 
officers from a public Web site and used those identities to apply online 
for credit cards and bank credit." 

• In 2006, an Ohio woman pled guilty to conspiracy, bank fraud, and 
aggravated identity theft as the leader of a group that stole citizens’ 
personal identifying information from a local public record keeper’s Web 
site and other sources, resulting in over $450,000 in losses to individuals, 
financial institutions, and other businesses. 3 


‘Javelin Strategy and Research, 2009 Identity Fraud Survey Report.: Consumer Version 
(Pleasanton, Calif., February 2009). 

2 GAO Social Security Numbers: Federal and State Laws Restrict Use of SSNs, yet Gaps 
Remain. GAO-05-1016T. (Washington, D.C.: September 15, 2005) 

3 Social Security Numbers: Federal Actions Could Further Decrease Availability in Public 
Records, though Other Vulnerabilities Remain. GAO-07-752. (Washington, D.C.: June 15, 
2007). 


Page 3 


GAO-09-759T Identity Theft 



45 


• In February 2007, an individual was convicted of aggravated identity theft, 
access device fraud, and conspiracy to commit bank fraud in the Eastern 
District of Virginia. The individual, who went by the Internet nickname 
“John Dillinger,” was involved in extensive illegal online “carding” 
activities, in which he received e-mails or instant messages containing 
hundreds of stolen credit card numbers, usually obtained through 
phishing 4 schemes or network intrusions, from “vendors” who were 
located in Russia and Romania. In his role as a “cashier” of these stolen 
credit card numbers, this individual would then electronically encode 
these numbers to plastic bank cards, make ATM withdrawals, and return a 
portion to the vendors. Computers seized by authorities revealed over 
4,300 compromised account numbers and full identity information (i.e., 
name, address, date of birth, Social Security number, and mother’s maiden 
name) for over 1,600 individual victims. 5 


Steps Have Been 
Taken at the Federal, 
State, and Local Level 
to Prevent Identity 
Theft, Although Gaps 
Remain in Efforts to 
Assist Victims 


Several steps have been taken, both in terms of legislation and 
administrative actions to combat identity theft at the federal, state and 
local levels, although efforts to assist victims of the crime once it has 
occurred remain somewhat piecemeal. While there is no one law that 
regulates the overall use of personally identifiable information by all levels 
and branches of government, numerous federal laws place restrictions on 
public and private sector entities’ use and disclosure of individuals’ 
personal information in specific instances, including the use and 
disclosure of SSNs — a key piece of information that is highly valuable to 
identity thieves. One intention of some of these laws is to prevent the 
misuse of personal information for purposes such as identity theft. 


Several Federal Laws Seek 
to Protect Personally 
Identifiable Information 
Including SSNs 


Two primary laws (the Privacy Act of 1974 and the E-Government Act of 
2002) give federal agencies responsibilities for protecting personal 
information, including ensuring its security, Additionally, the Federal 
Information Security Management Act of 2002 (FISMA) requires agencies 
to develop, document, and implement agency wide programs to provide 
security for their information and information systems (which include 


'Phishing is a high-tech scam that frequently uses unsolicited messages to deceive people 
into disclosing their financial and/or personal identity information. 

J Cybercrime: Public and Pi'ivate Entities Face Challenges in Addressing Cyber Threats. 
GAO-07-705. (Washington, D.C.: June 22, 2007). Statement of Associate Deputy Attorney 
General before the Subcommittee on Terrorism, Technology and Homeland Security the 
Senate Committee on the Judiciary (Mar. 21, 2007) 


GAO-09-759T Identity Theft 



46 


personally identifiable information and the systems on which it resides). 
FISMA is the primary law governing information security in the federal 
government. The act also requires the National Institute of Standards and 
Technology (NIST) to develop technical guidance in specific areas, 
including minimum information security requirements for information and 
information systems. 

Other laws which help protect personally identifiable information include 
the Identity Theft and Assumption Deterrence Act, the Identity Theft 
Penalty Enhancement Act of 1998, the Gramm-Leach-Bliley Act (GLBA), 
and the Fair and Accurate Credit Transactions Act (FACTA). (See app. I, 
table 1, for a more detailed description of these and other related laws.) 
For example, the Identity Theft and Assumption Deterrence Act, enacted 
in 1998, makes it a criminal offense for a person to “knowingly transfer, 
possess, or use without lawful authority,” another person’s means of 
identification, such as their SSN, with the intent to commit, or in 
connection with, any unlawful activity that constitutes a felony under state 
or local law. 0 This act also mandated a specific role for the FTC in 
combating identity theft. To fulfill the mandate, FTC is collecting identity 
theft complaints and assisting victims through a telephone hotline and a 
dedicated Web site; maintaining and promoting the Identity Theft Data 
Clearinghouse, a centralized database of victim complaints that serves as 
an investigative tool for law enforcement; and providing outreach and 
education to consumers, law enforcement, and industry. According to 
FTC, it receives roughly 15,000 to 20,000 contacts per week on the hotline, 
via its Web site, or through the mail from victims and consumers who want 
to avoid becoming victims. In addition, the Identity Theft Enforcement and 
Restitution Act of 2008 requires persons convicted of identity theft to 
compensate their victims for the value of the time spent by the victim in an 
attempt to remediate the intended or actual harm incurred. 

Another law with some provisions to assist victims of identity theft is 
FACTA. This law has several provisions to help address the difficulties 
victims often encounter in trying to recover from identity theft, including 
(1) a requirement that the FTC develop a model summary of rights to be 
distributed to consumers who believe that they are victims of identity 
theft, (2) the right for consumers to place fraud alerts on their credit 
reports, (3) the right to obtain copies of business records involved in 


'’Under the act, an individual’s name or Social Security number is considered a "means of 
identification.” 


Page 5 


GAO-09-759T Identity Theft 



47 


transactions alleged to be the result of identity theft, and (4) the right to 
obtain all information about fraudulently incurred debts that have been 
turned over to a collection agency. 

The Office of Management and Budget has also issued numerous 
memoranda to federal agencies on safeguarding personally identifiable 
information. These cover such matters as designating a senior privacy 
official with responsibility for safeguarding information, and developing 
and implementing a data breach notification plan. (See app. I, table 2, for a 
more comprehensive list of pertinent OMB memoranda). 


Several Federal Agencies 
Are Involved in Identifying 
and Investigating Identity 
Theft 


Numerous federal agencies can have a role in identifying and investigating 
identity theft. This is, in part, because identity theft is not a “stand alone” 
crime, but rather a component of one or more complex crimes, such as 
computer fraud, credit card fraud, or mail fraud. For example, with the 
theft of identity information, a perpetrator may commit computer fraud 
when using a stolen identity to fraudulently obtain credit on the Internet. 
Computer fraud may also be the primary vehicle used to obtain identity 
information when the offender obtains unauthorized access to another 
computer or Web site to obtain such information. As a result, if caught, the 
offender may be charged with both identity theft and computer fraud. 
Moreover, perpetrators usually prey on multiple victims in multiple 
jurisdictions. Consequently, a number of federal law enforcement agencies 
can have a role in investigating identity theft crimes. How the thief obtains 
and/or uses an individual’s identity usually dictates which federal agency 
has jurisdiction in the case. For example, if an individual finds that an 
identity thief has stolen the individual’s mail to obtain credit cards, bank 
statements, or tax information, the victim should report the crime to the 
U.S. Postal Inspection Service, the law enforcement arm of the U.S. Postal 
Service. In addition, violations are investigated by other federal agencies, 
such as the Social Security Administration Office of the Inspector General, 
the U.S. Secret Service, the Federal Bureau of Investigation (FBI), the U.S. 
Department of State, the U.S. Department of Education Office of Inspector 
General, and the Internal Revenue Service. The Department of Justice may 
also prosecute federal identity theft cases. (See app. I, table 3, which 
highlights some of the jurisdictional responsibilities of some key federal 
agencies.) 


Page 6 


GAO-09-759T Identity Theft 



48 


States and Localities Have 
Enacted Laws and Taken 
Other Measures to Prevent 
Identity Theft and Assist 
Potential Victims 


Many states have laws prohibiting the theft of identity information. For 
example, New York law makes identity theft a crime. 7 In other states, 
identity theft statutes also address specific crimes committed under a false 
identity. For example, Arizona law prohibits any person from using 
deceptive means to alter certain computer functions or use software to 
collect bank information, take control of another person’s computer, or 
prevent the operator from blocking the installation of specific software. 8 
In addition, Idaho law makes it unlawful to impersonate any state official 
to seek, demand, or obtain personally identifiable information of another 
person. 9 Furthermore, some states have also included identity theft victim 
assistance provisions in their laws. For example, Washington state law 
requires police and sheriffs’ departments to provide a police report or 
original incident report at the request of any consumer claiming to be a 
victim of identity theft. 10 


States have also enacted laws to protect victims or potential victims of 
identity theft. One organization that tracks trends in identity theft reported 
in April 2009 that 47 states and the District of Columbia have enacted so- 
called “credit” or “security freeze” laws. 11 These laws allow consumers to 
block unauthorized third parties from obtaining their credit report or 
score. A consumer who places a security freeze on his or her credit report 
or score receives a personal identification number to gain access to credit 
information or to authorize the dissemination of credit information. Some 
states permit consumers to place security freezes only if they have been 
victims of identity theft or attempted identity theft. 12 The same 
organization also reported that, as of January 2009, 43 states and the 
District of Columbia require notifications of data breaches to consumers in 


7 N.Y. Penal Law § 190.77-190.84 (2002). 
s Ariz. Rev. Stat. § 44-7301 et seq. (2005). 

'Idaho Code § 18-3126A (2005). 

10 Wash. Rev. Code § 19.182.160 (2005). 

"See Consumers Union Web Site, 

http://www.consumersunion.Org/campaigns//leam_more/003484indiv.htinl (accessed May 
14, 2009). 

‘~CRS, Identity Theft Laws: State Penalties and Remedies and Pending Federal Bills, T. 
A. Rainson, Congressional Research Service, RL 34028 (Washington, D.C.: Aug. 6, 2007). 


Page 7 


GAO-09-759T Identity Theft 



49 


certain circumstances. 13 Recently, some county governments have also 
completed or begun redacting or truncating SSNs that are displayed in 
public records — that is removing the full SSN from display or showing 
only part of it. Some are responding to state laws requiring these 
measures, but others have acted on their own based on concerns about the 
potential vulnerability of SSNs to misuse. 


Vulnerabilities 
Remain to Protecting 
Personally 
Identifiable 
Information 


While steps have been taken at the federal, state, and local level to prevent 
identity theft, vulnerabilities remain in both the public and private sectors. 
These vulnerabilities can be grouped into different areas, including: (1) 
display and use of Social Security numbers; (2) availability of personal 
information through private information resellers; and (3) security 
weaknesses in federal agency information systems that may lead to data 
security breaches involving personally identifiable information; among 
others. 14 


SSNs Are a Key Piece of SSNs are a critical piece of information used to perpetrate identity theft. 
Information Used in Although the SSN was created as a means to track workers’ earnings and 

Identity Theft eligibility for Social Security benefits, it is now also a vital piece of 

information needed to function in American society. Because of its unique 
nature and broad applicability, the SSN has become the identifier of 
choice for public and private sector entities, and it is used for numerous 
non-Social Security purposes. Today, U.S. citizens generally need an SSN 
to pay taxes, obtain a driver’s license, or open a bank account, among 
other things. SSNs, along with names and birth certificates, are among the 
three personal identifiers most often sought by identity thieves. SSNs play 
an important role in identity theft because they are used as breeder 
information to create additional false identification documents, such as 
drivers’ licenses. Most often, identity thieves use SSNs belonging to real 
people rather than making one up; however, on the basis of a review of 
identity theft reports, victims usually (65 percent of the time) did not know 


13 See Consumers Union Web Site, 

http://www.consimiereuraon.Org/campmgns//financialprivacynow/0022I5mdiv.htrnI 
(accessed May 14, 2009). 

14 Our work has also identified other potential vulnerabilities to personally identifiable 
information in the public and private sectors, including security of personal information 
when it is outsourced to third party service providers, vulnerabilities in identification 
cards, and availability of personal information in public records. 


Page 8 


GAO-09-759T Identity Theft 



50 


where or how the thieves got their personal information. i:v In those 
instances when the source was known, the personal information, including 
SSNs, usually was obtained illegally. In these cases, identity thieves most 
often gained access to this personal information by taking advantage of an 
existing relationship with the victim. The next most common means of 
gaining access were by stealing information from purses, wallets, or the 
mail. Finally, while documents such as public records were traditionally 
accessed by visiting government records centers, a growing source of 
identity theft may be via the Internet. This is because some record keepers 
sell records containing SSNs in bulk to private companies and provide 
access to records on their own government Web sites. When records are 
sold in bulk or made available on the Internet, it is unknown how and by 
whom the records, and the personal identifying information contained in 
them, are used. Because the sources of identity theft cannot be more 
accurately pinpointed, it is not possible at this time to determine whether 
SSNs that are used improperly are obtained most frequently from the 
private or public sector. 

Our prior work has documented several areas where potential 
vulnerabilities exist with respect to protecting the security of SSNs in both 
the public and private sectors. For example: 

SSNs are displayed on some government-issued identification 
cards: We have reported that an estimated 42 million Medicare cards, 8 
million Department of Defense (DOD) insurance cards, and 7 million 
Department of Veterans Affairs (VA) beneficiary cards displayed entire 9- 
digit SSNs. VA and DOD have begun taking action to remove SSNs from 
cards. For example, VA is eliminating SSNs from 7 million VA 
identification cards and will replace cards with SSNs or issue new cards 
without SSNs until all such cards have been replaced. However, the 
Centers for Medicare and Medicaid Services, with the largest number of 
cards displaying the entire 9-digit SSN, has no plans to remove the SSN 
from Medicare identification cards. 

Complete SSNs Could be Constructed Using Various Sources: We 

also found a gap in a common practice for protecting SSNs: truncation — 
the practice of only displaying a partial number, such as the first 5 digits of 
an SSN. While we found that this practice would improve SSN protection if 
standardized, vulnerabilities remain. For example, in a recent review 


‘ ’Javelin Strategy and Research, 2009 Identity Fraud Survey Report.: Consumer Version 
(Pleasanton, Calif., February 2009). 


Page 9 


GAO-09-759T Identity Theft 



51 


examining the availability of SSNs in public records, we found that it is 
possible to reconstruct an individual’s full nine-digit SSN by combining a 
truncated SSN from a federally generated lien record with a truncated SSN 
from an information reseller. 16 These records typically contain an 
individual’s SSN, name, and address. As a result of these findings, we 
advised Congress to consider enacting legislation to develop a 
standardized method of truncating SSNs. Such legislation was introduced 
in the 1 10th Congress. 


Federal Law Does Not Federal law does not currently cover all data or services provided by 

Cover all Data or Services information resellers, and the personally identifiable information these 
Provided by Information entities use in the course of their business operations could create 
Resellers potential vulnerability for identity theft, particularly when the information 

is available on the Internet. For example, information resellers, sometimes 
referred to as information brokers, are businesses that specialize in 
amassing personal information from multiple sources and offering 
informational services, including data on individuals. These entities may 
provide their services to a variety of prospective buyers, either to specific 
business clients or to the general public through the Internet. More 
prominent information resellers such as consumer reporting agencies and 
entities like LexisNexis provide information to their customers for various 
purposes, such as building consumer credit reports, verifying an 
individual’s identity, differentiating records, marketing their products, and 
preventing financial fraud. These information resellers limit their services 
to businesses and government entities that establish accounts with them 
and have a legitimate purpose for obtaining an individual’s personal 
information. For example, law firms and collection agencies may request 
information on an individual’s bank accounts and real estate holdings for 
use in civil proceedings, such as a divorce. Information resellers that offer 
their services through the Internet (Internet resellers) will generally 
advertise their services to the general public for a fee. Resellers, whether 
well-known or Internet-based, collect information from three sources: 
public records, publicly available information, and nonpublic information. 
The aggregation of the general public’s personal information, such as 
SSNs, in large corporate databases and the increased availability of 
information via the Internet may provide unscrupulous individuals a 
means to acquire SSNs and other personal information and use them for 
illegal purposes including identity theft. 


16 GAO-07-752 


Page 10 


GAO-09-759T Identity Theft 



52 


However, no federal law explicitly requires all information resellers to 
safeguard all of the sensitive personal information they may hold. For 
example, the Fair Credit and Reporting Act (FCRA) applies only to 
consumer information used or intended to be used to help determine 
eligibility for credit, and GLBA’s safeguarding requirements apply only to 
customer data held by GLBA-defined financial institutions. Unfortunately, 
much of the personal information maintained by information resellers that 
does not fall under FCRA or GLBA is not necessarily required by federal 
law to be safeguarded, even when the information is sensitive and subject 
to misuse by identity thieves. 


Federal Agencies Rely on 
Information Systems to 
Carry out Their Missions 
but Security Weaknesses 
Leave them Vulnerable to 
Data Breaches 


Virtually all federal operations are supported by automated systems and 
electronic data, and agencies would find it difficult, if not impossible, to 
carry out their missions and account for their resources without these 
information assets. However, it is important for agencies to safeguard their 
systems against risks such as loss or theft of resources (such as federal 
payments and collections), modification or destruction of data, and 
unauthorized uses of computer resources or to launch attacks on other 
computer systems. Without such safeguards, sensitive information, such 
as taxpayer data, Social Security records, medical records, and proprietary 
business information could be inappropriately disclosed, browsed, or 
copied for improper or criminal purposes including identity theft. 


Our work indicates that persistent weaknesses appear in five major 
categories of information system controls. 17 As a result, federal systems 
and sensitive information are at increased risk of unauthorized access and 
disclosure, modification, or destruction, as well as inadvertent or 
deliberate disruption of system operations and services. GAO has found 
that federal agencies continue to experience numerous security incidents 
that could leave sensitive personally identifiable information in federal 
records vulnerable to identity theft. Such risks are illustrated by the 
following examples: 


! 'These weaknesses include (1) access controls, which ensure that only authorized 
individuals can read, alter, or delete data; (2) configuration management controls, which 
provide assurance that only authorized software programs are implemented; (3) 
segregation of duties, which reduces the risk that one individual can independently 
perform inappropriate actions without detection; (4) continuity of operations planning, 
which provides for the prevention of significant disruptions of computer-dependent 
operations; and (5) an agency-wide information security program, which provides the 
framework for ensuring that risks are understood and that effective controls are selected 
and properly implemented. 


Page 11 


GAO-09-759T Identity Theft 



53 


In February 2009, the Federal Aviation Administration (FAA) notified 
employees that an agency computer was illegally accessed and employee 
personal identity information had been stolen electronically. Two of the 48 
files on the breached computer server contained personal information 
about more than 45,000 FAA employees and retirees who were on the 
FAA’s rolls as of the first week of February 2006. Law enforcement 
agencies were notified and are investigating the data theft. 

In June 2008, the Walter Reed Army Medical Center reported that officials 
were investigating the possible disclosure of personally identifiable 
information through unauthorized sharing of a data file containing the 
names of approximately 1,000 Military Health System beneficiaries. Walter 
Reed officials were notified of the possible exposure on May 21 by an 
outside company. Preliminary results of an ongoing investigation 
identified a computer from which the data had apparently been 
compromised. Data security personnel from Walter Reed and the 
Department of the Army think it is possible that individuals named in the 
file could become victims of identity theft. The compromised data file did 
not include protected health information such as medical records, 
diagnosis, or prognosis for patients. 

During fiscal year 2008, federal agencies reported 16, 843 incidents to the 
U.S. Computer Emergency Readiness Team (US-CERT) — a 206 percent 
increase over the 5,503 incidents reported in 2006. 

Thus, significant weaknesses continue to threaten the confidentiality, 
integrity, and availability of critical information and information systems 
used to support the operations, assets, and personnel of federal agencies. 

The extent to which data breaches result in identity theft is not well 
known, in large part because it can be difficult to determine the source of 
the information used to commit identity theft. Available data and 
interviews with researchers, law enforcement officials, and industry 
representatives indicate that most breaches have not resulted in detected 
incidents of identity theft. In 2007, we reported on data breaches in 
selected sectors of the economy and the potential benefits of breach 
notifications. ls As part of this review of the issue, we examined the 24 
largest breaches that appeared in the news media from January 2000 


“GAO, Personal Information: Data Breaches Are Frequent, but Evidence of Resulting 
Identity Theft Is Limited; However; the Full Extent is Unknown, GAO-07-73? 
(Washington, D.C.: June 4, 2007). 


GAO-09-759T Identity Theft 



54 


through June 2005 and found that 3 breaches appeared to have resulted in 
fraud on existing accounts, and 1 breach appeared to have resulted in the 
unauthorized creation of new accounts. 19 

When data breaches do occur, notification to the individuals affected 
and/or the public has clear benefits, allowing individuals the opportunity 
to take steps to protect themselves against the dangers of identity theft. 
Moreover, although existing laws do not require agencies to notify the 
public when data breaches occur, such notification is consistent with 
federal agencies' responsibility to inform individuals about how their 
information is being accessed and used, and promotes accountability for 
privacy protection. Similarly, in the private sector, representatives of 
federal banking regulators, industry associations, and other affected 
parties told us that breach notification requirements have encouraged 
companies and other entities to improve their data security practices to 
minimize legal liability or avoid public relations risks that may result from 
a publicized breach of customer data. Further, notifying affected 
consumers of a breach gives individuals the opportunity to mitigate 
potential risk — for example, by reviewing their credit card statements and 
credit reports, or placing a fraud alert on their credit files. Requiring 
consumer notification of data breaches may encourage better data 
security practices and help deter or mitigate harm from identity theft; 
however, such practices also involve monetary costs and other challenges 
such as determining an appropriate notification standard. 

Based on the experience of various federal agencies and private sector 
organizations in responding to data breaches, we identified the following 
lessons learned regarding how and when to notify government officials, 
affected individuals, and the public of a data breach. In particular: 

• Rapid internal notification of key government officials is critical. 

• A core group of senior officials should be designated to make decisions 
regarding an agency’s response. 

• Mechanisms must be in place to obtain contact information for affected 
individuals. 


19 GAO-07-737. 


Page 13 


GAO-09-759T Identity Theft 



55 


• Determining when to offer credit monitoring to affected individuals 
requires risk-based management decisions. 

• Interaction with the public requires careful coordination and can be 
resource-intensive. 

• Internal training and awareness are critical to timely breach response, 
including notification. 

• Contractor responsibilities for data breaches should be clearly defined. 


OMB issued guidance in 2006 and 2007 reiterating agency responsibilities 
under the Privacy Act and FISMA, as well as technical guidance, drawing 
particular attention to the requirements associated with personally 
identifiable information. In this guidance, OMB directed, among other 
things, that agencies encrypt data on mobile computers or devices and 
follow NIST security guidelines regarding personally identifiable 
information. 

However, guidance to assist agency officials in making consistent risk- 
based determinations about when to offer credit monitoring or other 
protection services has not been developed. Without such guidance, 
agencies are likely to continue to make inconsistent decisions about what 
protections to offer affected individuals, potentially leaving some people 
more vulnerable than others. 

We and various agency inspectors general have made numerous 
recommendations to federal agencies to resolve prior significant control 
deficiencies and information security program shortfalls. In particular, we 
have noted that agencies also need to implement controls that reduce the 
chance of incidents involving data loss or theft, computer intrusions, and 
privacy breaches. For example, we recommended that the Director of 
OMB develop guidance for federal agencies on conducting risk analyses to 
determine when to offer credit monitoring and when to contract for an 
alternative form of monitoring, such as data breach monitoring, to assist 
individuals at risk of identity theft as a result of a federal data breach. 20 
Other recommendations to agencies include that they need to implement 
controls that prevent, limit, or detect access to computer resources, and 


20 GAO Privacy: Lessons Learned about Data Breach Notification, GAO-07-657. 
(Washington, D.C.: April 30, 2007). 


Page 14 


GAO-09-759T Identity Theft 



56 


should manage the configuration of network devices to prevent 
unauthorized access and ensure system integrity. In addition, 
opportunities also exist to enhance policies and practices necessary for 
implementing sound information security programs. To implement these 
programs, agencies must create and maintain inventories of major 
systems, implement common security configurations, ensure staff receive 
information security training, test and evaluate controls, take remedial 
actions for known deficiencies, and certify and accredit systems for 
operation. While these recommendations are intended to broadly 
strengthen the integrity of federal information systems, they will also help 
address many of the vulnerabilities that can contribute to identity theft. 


Concluding 

Observations 


Efforts at the federal, state, and local level to protect personally 
identifiable information and help prevent identity theft are positive steps, 
but challenges remain. In particular, the use of SSNs by both public and 
private sector entities is likely to continue given that it is the key identifier 
used by these entities, and there is currently no widely accepted 
alternative. Personally identifiable information including an individual’s 
name, date of birth, and SSN are important pieces of information used to 
perpetrate identify theft and fraud, and it is critical that steps be taken to 
protect such information. Without proper safeguards in place, such 
information will remain vulnerable to misuse, thus adding to the growing 
number of identity theft victims. As Congress moves forward in pursuing 
legislation to address the problem of identity theft, focusing the debate on 
vulnerabilities that have already been documented may help target efforts 
and policy directly toward new solutions. We look forward to supporting 
congressional consideration of these important policy issues. 


Mr. Chairman, this concludes my prepared testimony. I would be pleased 
to respond to any questions you or other Members of the Subcommittee 
may have. 


GAO Contacts 


For further information regarding this testimony, please contact me at 
bertonid@gao.gov or (202) 512-7215. In addition, contact points for our 
Offices of Congressional Relations and Public Affairs can be found on the 
last page of this statement. Individuals making key contributions to this 
testimony include Jeremy Cox, John De Ferrari, Doreen Feldman, 
Christopher Lyons, and Joel Mams. 


Page 15 


GAO-09-759T Identity Theft 




57 


APPENDIX I: Additional Information on Federal Laws, OMB 
Memorandums, and Federal Agency Investigation 

Jurisdiction Relating to Protection of Personal Information 

and Identity Theft 


Table 1 : Selected Federal Laws Affecting Public and Private Sector Disclosure of Personal Information 

Federal laws 

Restrictions on disclosure 

Entities affected 

Gramm-Leach-BIiley Act 
(GLBA) 

Creates a new definition of nonpublic personal 
information that includes SSNs and gives consumers 
the right to limit some, but not all, sharing of their 
nonpublic personal information. Financial institutions 
can disclose consumers’ nonpublic information without 
offering them an opt-out right under certain 
circumstances permissible under the law, such as to 
protect the confidentiality or security of the consumer's 
record and to prevent actual or potential fraud. 

Financial institutions such as credit bureaus 
and entities that receive data from financial 
institutions 

Fair Credit Reporting Act 
(FCRA) 

Limits access to consumer reports, which generally 
include SSNs, to those who have a permissible purpose 
under the law, such as state or local officials involved in 
the enforcement of child support cases or determining 
eligibility for employment. 

Consumer reporting agencies and users of 
consumer reports 

Fair and Accurate Credit 
Transactions Act (FACTA) 

Amends FCRA to allow, among other things, 
consumers who request a copy of their credit report to 
also request that the first five digits of their SSN (or 
similar identification number) not be displayed; requires 
consumer reporting agencies and any business that 
uses consumer reports to adopt procedures for proper 
disposal of such reports. 

Consumer reporting agencies and users of 
consumer reports 

Driver's Privacy Protection 
Act (DPPA) 

Prohibits disclosing personal information from a motor 
vehicle record, including SSNs, except for purposes 
permissible under the law. 

State departments of motor vehicles, 
department of motor vehicle employees or 
contractors, and recipients of personal 
information from motor vehicle records 

Health Insurance Portability 
and Accountability Act 
(HIPAA) 

Protects the privacy of health information that identifies 
an individual (including by SSNs) and restricts health 
care organizations from disclosing such information to 
others without the patient’s consent. 

Health care providers, plans, and 
clearinghouses 

The Privacy Act of 1 974 

Regulates certain types of federal recordkeeping; 
generally prohibits disclosure of personal information 
collected and maintained by federal agencies, such as 
SSNs, with exceptions. 

Federal agencies 

Social Security Act 
Amendments of 1990 

Bars disclosure of SSNs collected pursuant to laws 
enacted on or after October 1 , 1990. 

Federal, state, and local government agencies 

E-Government Act of 2002 

Requires agencies to conduct privacy impact 
assessments (PIA) of how personal information is 
collected, stored, shared, and managed in a federal 
information system. 

Federal agencies 

Federal Information 

Security Management Act 
of 2002 (FISMA) 

Defines federal requirements for securing information 
and information systems that support federal agency 
operations and assets including controls necessary to 
preserve authorized restrictions on access and 
disclosure to protect personal privacy. 

Federal agencies 


Source: GAO-02-352. GAO-06-495. GACM56-676, GAO-06-833T. GAO-OM023T 


GAO-09-759T Identity Theft 






58 



Table 2: Major OMB Memorandums Related to Protection of Personally Identifiable Information 

Memorandum, date 

Title 

Major personally identifiable information requirement or 
recommendation 

M-05-08, Feb. 11,2005 

Designation of Senior Agency 
Officials for Privacy 

Directs agencies to designate a senior official with overall responsibility 
for information privacy issues who 

• is accountable for ensuring agency implementation of information 
privacy protection; and 

• must take appropriate steps to protect personally identifiable 
information from unauthorized use, access, disclosure, or sharing, 
and to protect related information systems from unauthorized 
access, modification, disruption, or destruction. 

M-06-15, May 22, 2006 

Safeguarding Personally 
Identifiable information 

Re-emphasizes agency responsibilities to safeguard personally 
identifiable information and to appropriately train employees in this 
regard. 

Requires agency Senior Official for Privacy to conduct a review of 
policies and processes, and take necessary corrective actions to prevent 
the intentional or negligent misuse of, or unauthorized access to, 
personally identifiable information. 

M-06-16, June 23, 2006 

Protection of Sensitive Agency 
Information 

Recommends that all agencies 

• encrypt all data on mobile computers/devices that carry agency data 
unless the data are determined to be nonsensitive; 

• allow remote access only with two-factor authentication, where one 
factor is provided by a device separate from the computer gaining 
access; 

• use a “time-out" function for remote access and mobile devices 
requiring user reauthentication after 30 minutes of inactivity; and 

• log all computer-readable data extracts from databases holding 
sensitive information and verify that each extract including sensitive 
data has been erased within 90 days. 

Recommends that agencies use a NIST security checklist, included in 
the memo, that provides specific actions to be taken by agencies to 
protect personally identifiable information that is either accessed 
remotely or physically transported outside an agency’s secured physical 
perimeter. 

M-06-19, July 12, 2006 

Reporting Incidents Involving 
Personally Identifiable 
Information and Incorporating 
the Cost for Security in Agency 
Information Technology 
Investments 

Requires agencies to report all incidents involving personally identifiable 
information to US-CERT within 1 hour of discovering the incident (this 
revises previous guidelines for reporting security incidents). 

M-06-20, July 17, 2006 

FY 2006 Reporting Instructions 
for the Federal Information 
Security Management Act and 
Agency Privacy Management 

Requires agencies to identify in their yearly FISMA reports any physical 
or electronic incidents involving the loss of or unauthorized access to 
personally identifiable information. 


Page 17 


GAO-09-759T Identity Theft 




59 


Major personally identifiable information requirement or 
Memorandum, date Title recommendation 

M-07-16, May 22, 2007 Safeguarding Against and Requires agencies to develop and implement a breach notification policy 

Responding to the Breach of and plan, including policy for the notification of the public, and provides 
Personally Identifiable the elements that must be included in the policies, including the incident 

Information reporting requirements of M-06-19. 

Restates recommendations of M-06-1 6 as requirements. 

Requires agencies to establish an agency response team to ensure 
adequate coverage and implementation of the plan. 

Requires agencies to review and reduce the volume of personally 
identifiable information to the minimum necessary and reduce the use of 
Social Security numbers. 

Updates incident reporting and handling requirements. 

Requires agencies’ breach notification policy and plan to lay out 
employees' roles and responsibilities for handling breaches of personally 
identifiable information, as well as relationships with contractors or 
partners. 


Source: GAO08-343 

Table 3: List of Federal Agencies with Some Identity Theft Jurisdiction 

Federal agency 

Jurisdictional identity theft highlights 

Social Security Administration’s 
Office of the Inspector General 

Investigates SSN misuse involving the buying and selling of SSN cards. 

U.S. Secret Service 

Investigates crimes associated with financial institutions; investigations include bank fraud, 
access device fraud involving credit and debit cards, telecommunications and computer crimes, 
fraudulent identification, fraudulent government and commercial securities, and electronic funds 
transfer fraud. 

Federal Bureau of Investigation 

Investigates cases of identity theft; investigations can include bank fraud, mail fraud, wire fraud, 
bankruptcy fraud, insurance fraud, and fraud against the government. In addition, FBI sponsors a 
national Identity Theft Working Group, where participants from law enforcement, federal 
regulatory bodies, and the financial services industry meet regularly to discuss identity theft 
related issues. 

U.S. Securities and Exchange 
Commission 

Investigates investment fraud in instances where an identity thief has tampered with securities 
investments or brokerage accounts. 

U.S. Department of State 

Investigates passport fraud in instances where a passport is used fraudulently. 

U.S. Department of Education, 
Office of Inspector General 

Investigates fraudulent student loan activity. 

Internal Revenue Service 

Investigates tax fraud where identity theft may relate directly to tax records. 


Source: GAO-05-t016T 


Page 18 


GA0 09-759T Identity Theft: 









60 


Related GAO Products 


Information Security: Agencies Make Progress in Implementation of 
Requirements, but Significant Weaknesses Persist. GAO-O9-701T. 
Washington, D.C.: May 19, 2009. 

Social Security Numbers Are Widely Available in Bulk and Online Records, 
but Changes to Enhance Security Are Occurring. GAO-08-1009R. 
Washington, D.C.: September 19, 2008. 

Information Security: Federal Agency Efforts to Encrypt Sensitive 
Information Are Under Way, but Work Remains. GAO-08-525. Washington, 
D.C.: June 27, 2008. 

Information Security: Progress Reported, but Weaknesses at Federal 
Agencies Persist. GAO-08-571T. Washington, D.C.: March 12, 2008. 

Information Security: Protecting Personally Identifiable Information. 
GAO-08-343. Washington, D.C.: January 25, 2008. 

Information Security: Despite Reported Progress, Federal Agencies Need 
to Address Persistent Weaknesses. GAO-07-837. Washington, D.C.: July 27, 
2007. 

Cybercrime: Public and Private Entities Face Challenges in Addressing 
Cyber Threats. GAO-07-705. Washington, D.C.: June 22, 2007. 

Social Security Numbers: Use is Widespread and Protection Could Be 
Improved. GAO-07- 1023T. Washington, D.C.: June 21, 2007. 

Social Security Numbers: Federal Actions Could Further Decrease 
Availability in Public Records, though Other Vulnerabilities Remain. 
GAO-07-752. Washington, D.C.: June 15, 2007. 

Personal Information: Data Breaches Are Frequent, but Evidence of 
Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown. 
GAO-07-737. Washington, D.C.: June 4, 2007. 

Privacy: Lessons Learned about Data Breach Notification. GAO-07-657. 
Washington, D.C.: April 30, 2007. 

Privacy: Domestic and Offshore Outsourcing of Personal Information in 
Medicare, Medicaid, and TRICARE. GAO-06-676. Washington, D.C.: 
September 5, 2006 


Page 19 


GAO-09-759T Identity Theft 



61 


Personal Information: Key Federal Privacy Laws Do Not Require 
Information Resellers to Safeguard All Sensitive Data GAO-06-674. 
Washington, D.C.: June 26, 2006. 

Privacy: Preventing and Responding to Improper Disclosures of Personal 
Information. GAO-06-833T. Washington, D.C.: June 8, 2006. 

Social Security Numbers: Internet Resellers Provide Few Full SSNs, but 
Congress Should Consider Enacting Standards for Truncating SSNs. 
GAO-06495. Washington, D.C.: May 17, 2006. 

Social Security Numbers: More Could Be Done to Protect SSNs. 
GAO-06-586T. Washington, D.C.: March 30, 2006. 

Social Security Numbers: Stronger Protections Needed When Contractors 
Have Access to SSNs. GAO-06-238. Washington, D.C.: January 23, 2006. 

Social Security Numbers: Federal and State Laws Restrict Use of SSNs, yet 
Gaps Remain. GAO-05-1016T. Washington, D.C.: September 15, 2005. 

Identity Theft: Some Outreach Efforts to Promote Awareness of New 
Consumer Rights Are Underway. GAO-05-710. Washington, D.C.: June 30, 
2005. 

Information Security: Emerging Cybersecurity Issues Threaten Federal 
Information Systems. GAO-05-231. Washington, D.C.: May 13, 2005. 

Social Security Numbers: Governments Could Do More to Reduce Display 
in Public Records and on Identity Cards. GAO-05-59. Washington, D.C.: 
November 9, 2004. 

Social Security Numbers: Private Sector Entities Routinely Obtain and Use 
SSNs, and Laws Limit the Disclosure of This Information. GAO-04-11. 
Washington, D.C.: January 22, 2004. 

Social Security Numbers: Government Benefits from SSN Use but Could 
Provide Better Safeguards. GAO-02-352. Washington, D.C.: May 31, 2002. 


(130940) 


Page 20 


GAO-09-759T Identity Theft 



GAO’s Mission 

■ 

The Government Accountability Office, the audit, evaluation, and 
investigative arm of Congress, exists to support Congress in meeting its 
constitutional responsibilities and to help improve the performance and 
accountability of the federal government for the American people. GAO 
examines the use of public funds; evaluates federal programs and policies; 
and provides analyses, recommendations, and other assistance to help 
Congress make informed oversight, policy, and funding decisions. GAO’s 
commitment to good government is reflected in its core values of 
accountability, integrity, and reliability. 

Obtaining Copies of 
GAO Reports and 
Testimony 

The fastest and easiest way to obtain copies of GAO documents at no cost 
is through GAO’s Web site (www.gao.gov). Each weekday afternoon, GAO 
posts on its Web site newly released reports, testimony, and 
correspondence. To have GAO e-mail you a list of newly posted products, 
go to www.gao.gov and select “E-mail Updates.” 

Order by Phone 

The price of each GAO publication reflects GAO’s actual cost of 
production and distribution and depends on the number of pages in the 
publication and whether the publication is printed in color or black and 
white. Pricing and ordering information is posted on GAO’s Web site, 
http://www.gao.gov/ordering.htm. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or 

TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card, 

MasterCard, Visa, check, or money order. Call for additional information. 

To Report Fraud, 
Waste, and Abuse in 
Federal Programs 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm 

E-mail: fraudnet@gao.gov 

Automated answering system: (800) 424-5454 or (202) 512-7470 

Congressional 

Relations 

Ralph Dawn, Managing Director, dawnr@gao.gov, (202) 512-4400 

U.S. Government Accountability Office, 441 G Street NW, Room 7125 
Washington, DC 20548 

Public Affairs 

Chuck Young, Managing Director, youngcl@gao.gov, (202) 512-4800 

U.S. Government Accountability Office, 441 G Street NW, Room 7149 
Washington, DC 20548 


Please Print on Recycled Paper 



63 


Mr. Clay. We have been joined by the ranking member, Mr. 
McHenry of North Carolina. And I will recognize him first for 5 
minutes of questioning. 

Mr. McHenry. 

Mr. McHenry. Thank you, Mr. Chairman. 

I am sorry I was detained, but I certainly appreciate your testi- 
mony. I have taken a look at your testimony before, but, you know, 
it is obvious there is an identity theft challenge that we’re facing 
as a country. And Congress — in the House have largely divided ju- 
risdictions, and so we have jurisdictional committee issue on this 
issue as well. In terms of really acting to preclude some of the 
issues that you brought up today, I am on Financial Services; we 
certainly have a substantial amount of concern there with identity 
theft and how that has ramifications for people’s credit ratings and 
access to credit generally. 

Mr. Bertoni, you reference a truncation standard. Now, you’re 
talking about to truncate someone’s Social Security number? 

Mr. Bertoni. Correct, correct. 

Mr. McHenry. Now, would that — is that difficult to do, because 
what the Federal Government said, a Social Security number is 
only for Social Security, it is not an identification number. That’s 
what we have stated in the law. Now, in fact, you know, colleges, 
banks, institutions large and small use your Social Security num- 
ber as basically your identifier. Will we have to change existing law 
there in order to acknowledge that it is, in fact, an identification 
number? 

Mr. Bertoni. We’re taking questions. The fact is that the SSN 
has become the unique national identifier. SSA will say that it is 
not to be used for identification purposes, but let’s face it, that’s 
where we are at. You can’t rent a movie from Blockbuster or get 
satellite television without providing your SSN, and that is being 
bumped against other data elements to confirm identity. 

And in our view the Social Security number is probably the most 
critical piece of information that identity thieves would want in 
terms of the personal identifying information that they can get 
their hands on. Without the SSN the other elements are much 
more difficult to do anything with. 

I don’t believe you have to do anything to change the law. 
We’ve — Gramm-Leach-Bliley has already determined or codified 
that the SSN is part of personal identifying information that can — 
needs to be protected. 

Mr. McHenry. Sure it needs 

Mr. Bertoni. So it’s a matter of taking some next steps to broad- 
en that voice to, I think, some other industries. 

And as far as truncation goes, it is not difficult. It is a matter 
of getting on a national level the standard to be consistent, because 
if you’re truncating on the front half, and an information — another 
information reseller is truncated on the back end, within minutes 
I can find both sides of that SSN and probably find your name, 
date of birth and some other records, and have an identity very 
quickly. 

Mr. McHenry. Certainly — and speaking of Social Security num- 
bers, in your — you mentioned the National Archives, a loss of infor- 
mation or theft of information. We’re not certain of, even now, what 



64 


exactly happened. But the hard drive disappearance at the Na- 
tional Archives, it included 100,000 Social Security numbers, in- 
cluding apparently A1 Gore’s daughter’s Social Security number is 
in this information, and contact information, including addresses 
for various and high-ranking Clinton administration officials, Se- 
cret Service — as well as Secret Service and a number of other per- 
sonnel that are included. 

This is highly sensitive information. So I’m not asking you to tes- 
tify about the procedures of the National Archives, but what can 
the government do to mitigate the damage or potential damage of 
this loss of information? 

Mr. Bertoni. I think right up front, some thought to encryption 
should have been at — in play. If you have encrypted data, you leave 
it somewhere where it shouldn’t be, it’s going to be much more dif- 
ficult for an identity thief to do something with, especially if it is 
encrypted in accordance with NIST standards. So on the front end, 
I don’t know what that data looked like, but I would hope — I don’t 
know, it had some type of encryption technology. 

After the fact we now have to do a risk-based assessment of 
where do we think this ended up, what was on it, and what’s the 
likelihood of identity theft. And from there you go to a go/no go on 
data breach notification, and ultimately another risk assessment 
assessing what’s the likelihood that this is out there and being 
used. And then beyond that you have to think about what services 
you’re going to offer, passive monitoring or active alerts on credit 
records, or even credit freezes. So there are some major decisions 
that have to be made after the fact. 

Mr. McHenry. Do you have any comments, Ms. Broder? 

Ms. Broder. Yes, briefly. The Social Security number is indeed 
a very sensitive and valuable piece of identity for identity thieves, 
but partly that is because it is used not only as an identifier to link 
you with your information, but also as an authenticator to estab- 
lish that you are indeed the person who you purport to be. And one 
of the recommendations that the Federal Trade Commission has 
made was that companies that open up consumer accounts have 
more rigorous standards to authenticate consumers so it is not so 
easy, so that the Social Security number is not the de facto key to 
the kingdom, but that more robust systems are in place to prevent 
that type of fraud from happening. 

And, of course, other recommendations. Certainly locking down 
Social Security numbers, having appropriate data security are im- 
portant front end, but authentication also could go a long way to 
reducing the incidence of identity theft. 

Mr. McHenry. Mr. Weinstein, any comments? 

Mr. Weinstein. No. 

Mr. McHenry. Well, thank you so much for testifying. I know we 
have other questions as well. Thank you. 

Mr. Clay. Thank you, Mr. McHenry. 

Ms. Broder, ID breaches are very devastating to consumers, and 
oftentimes are caused by simple negligence by businesses or their 
refusal to make any attempts at compliance with privacy policies. 
I noted in your statement that the FTC has, since 2001, used its 
authority under the FTC Act to bring 26 cases against businesses 
that allegedly failed to protect consumers’ personal information. 



65 


And can you give me examples of the types of punishment that is 
given to these businesses that disregard those safeguards designed 
to protect privacy? Are they sufficient as deterrents? Are they too 
soft? Does the FTC Act need strengthening? 

Ms. Broder. One of our recommendations is that we can now 
bring cases, data security cases, under section 5 of the Federal 
Trade Commission Act under the Gramm-Leach-Bliley Act, but we 
can’t seek civil penalties. Those laws do not give us the authority 
to impose civil penalties against those companies. So while we can 
get injunctive relief that requires them to subject themselves to au- 
dits, that requires them to take certain steps to improve their data 
security program, at this present time, sir, we cannot assess civil 
penalties. That is one of the legislative recommendations that the 
Commission has made, because we think a financial deterrent will 
go a long way to encouraging greater compliance with these laws. 

Mr. Clay. You mentioned a grant for a nationwide model for re- 
lief for victims. Have you come up with a nationwide model? 

Ms. Broder. The Department of Justice’s Office of Victims of 
Crime have given grants to four different organizations around the 
country to develop nonprofit centers for victims of identity theft 
that can provide greater assistance, more individualized care for 
people who have more engaged problems. 

What we find at the FTC, of the 300,000 people who contacted 
us last year seeking assistance, many of them are able to use these 
tools themselves to restore their credit history, to dispute fraudu- 
lent accounts. There are tools in place, and many consumers are 
able to exercise them. 

In more complex problems, or with consumers who are not able 
to exercise those rights, we find that those organizations often can 
provide additional assistance. 

So the FTC is doing a lot of work there every day, 20,000 con- 
tacts every week from consumers asking for information or seeking 
advice on identity theft. But there are some cases that are more 
complex that need more — that grant is still underway, and I think 
a final assessment has not been made on the success of those pro- 
grams. 

Mr. Clay. OK. We would be interested in seeing what the assess- 
ments are. 

Mr. Weinstein, you know, ID theft is on the rise. What are some 
of the new or emerging forms of the crime? 

Mr. Weinstein. You know, the crime varies from low-tech to 
high-tech. There are still plenty of identity thieves who use low- 
tech means to get personal identifying information and to exploit 
it, using a telephone and their own personal skill at dealing with 
people. But the high-tech trend, I think the most troubling is the 
carding forum. And the carding forum is an on-line active market- 
place for the sale and exploitation of technology and tools to com- 
mit intrusions and to buy and sell the data from those intrusions. 

A number of the cases that our division and U.S. attorneys’ of- 
fices nationwide have been prosecuting — investigating and pros- 
ecuting and have been most challenging have involved carding 
forms, and they are challenging on a number of levels. First, they 
have numerous members. The Dark Market, the one I mentioned, 
had 2,100 active members at one time. Second, those numbers are 



66 


worldwide, and so they present a lot of challenges that any inter- 
national case presents. But what makes those such disturbing 
trends in identity theft is that they are so sophisticated, and they 
are so organized. As I said it in my statement, identity thieves 
used to be solo actors. Now identity thieves are often linked with 
organized crime. And we find that organized crime, especially 
international criminal organizations, are capitalizing on the value 
of personal identifying information and exploiting that to make lots 
of money very quickly. 

If you go on to one of these carding forums, if you are vouched 
for and able to get access to it, or, as we do, if an undercover officer 
is able to get access, your mind will be blown by what is going on 
these sites. Stolen credit card and ATM information that has been 
obtained through computer intrusions is there for sale. People who 
can commit hacking and other types of intrusions are offering their 
services for money. False identification documents, fraudulent cred- 
it cards that have been manufactured using information that’s sto- 
len are being offered for sale. Tools and equipment to manufacture 
fraudulent credit cards are being offered for sale. And that infor- 
mation is exploited for — to make massive amounts of money, to 
steal massive amounts of money in a short period of time. That, I 
think, is the most difficult trend in high-tech identity theft, and 
that’s the one we’re most concerned about. 

Mr. Clay. What type of legislation could we enact that would re- 
duce the threat of identity theft? Have you come up with any good 
ideas or suggestions? 

Mr. Weinstein. Well, there’s two — legislation in two areas that 
I think would be useful, and that would make what we’re already 
doing more effective. We work very hard to keep pace with the in- 
creasingly sophisticated criminals we investigate and prosecute. We 
continually train investigators and agents. We have the highest- 
tech tools and the best-trained investigators and prosecutors any- 
where in pursuing these types of crime — this type of crime. And we 
try to keep pace with and anticipate what the cybercriminals will 
do next. 

But there are two areas in the law that I think, even after the 
Identity Theft Enforcement and Restitution Act of 2008, that there 
are areas we can still improve our efforts: No. 1, legislation that 
will enable us to better coordinate and cooperate with our inter- 
national partners. As the examples I gave in my statement and the 
others that are mentioned in the written testimony indicate this is 
increasingly an international crime, a transnational crime. And as 
I indicated a moment ago, because the crime is increasingly com- 
mitted or participated in by international criminal organizations, it 
is absolutely essential that we be able to work cooperatively with 
law enforcement. And cooperation with law enforcement is a two- 
way street. Every day we ask foreign governments and foreign law 
enforcement agencies to help us in prosecutions that we’re engag- 
ing over here, but they need our help as well. And so legislation 
that clarifies the authority of U.S. courts to compel the production 
of evidence that can be used in a foreign criminal investigation, 
something, by the way, that was one of the recommendations in the 
Identity Theft Task Force a few years ago but hasn’t made it into 
law yet, would be a very effective tool, because the more we can 



67 


offer help to foreign partners who are fully engaged on this issue, 
the more we can expect them to help us. So that’s No. 1. 

No. 2 is closer to home, and that’s sentencing. The Congress, in 
the Identity Theft Enforcement and Restitution Act, directed the 
sentencing commission to examine the guidelines related to iden- 
tity theft and to explore amendments to them. And in a sense the 
Commission has come up with some amendments to the guidelines 
that govern identity theft, but those amendments, I think, are lack- 
ing. As these criminals become more sophisticated, using proxies, 
using keystroke loggers and spyware, using increasing — increas- 
ingly sophisticated technology to exploit our personal information, 
we need the sentencing schemes to keep up, and so we believe the 
Computer Fraud and Abuse Act, which is codified at Title 18 U.S. 
Code section 1030, which is the statute that we principally charge 
in this area for computer-related identity thief — identity theft, 
should be amended to adopt harsher penalties for this kind of 
crime, and that the guidelines should be amended accordingly for 
even greater enhancements for the use of sophisticated tech- 
nologies. 

Identity theft involving high-tech means it is harder to inves- 
tigate, and it is harder to prosecute. It is much more resource-in- 
tensive, and it’s much more dangerous, because using high tech- 
nology, identity thieves can get more people’s information and use 
it to steal more money in a shorter period of time. The guidelines 
should punish that kind of identity theft involving that kind of 
technology and those kinds of means much more harshly that other 
forms of this crime. And so we think that the guidelines should be 
amended as well to keep pace with the increasingly sophisticated 
technology and techniques that these criminals are using. 

Mr. Clay. Thank you for that response. 

I will go to my colleague from Ohio Mr. Driehaus for 5 minutes. 

Mr. Driehaus. Thank you, Mr. Chairman, and thank you for 
holding this panel and the next panel. I think this is a critically 
important issue. 

As a State legislator in Ohio for 8 years, we often wrestled with 
the issue of identity theft, and I recall one of my colleagues in the 
legislature calling me one time and reciting to me my Social Secu- 
rity number that he found on a local government Web site, because 
I had gotten a traffic ticket, and the clerk of courts, in his infinite 
wisdom, decided that all records are not only public, but should be 
published on the Internet. And so we worked to modify that in the 
State of Ohio, but I’ve got to tell you, it took a long time to make 
that happen. 

So I’m interested in the perspective, all of you, really all three 
of you, as to what we can do at the congressional level to — this al- 
ways happens when I’m asking questions, by the way — but what 
we might be able to do to provide guidance to State and local gov- 
ernments, because they continue to have this problem, this quan- 
dary, between making information available to the public and pro- 
tecting the privacy of the citizens of their various jurisdictions. And 
you find that the policies are all over the place. And in the case 
of Hamilton County, where I am, in Cincinnati, the clerk of courts 
was simply taking documents, scanning documents and putting 
them directly onto the Internet, despite — despite the fact that they 



68 


had information about people’s bank accounts, they had Social Se- 
curity numbers, they had private information. They weren’t redact- 
ing the information. His excuse was that they couldn’t redact the 
information because it was documents being scanned, which I 
found to be kind of lame. 

But I would like your input as to how we might do a better job 
in informing policy at the State and local level so that those local 
entities aren’t making this information available, because we see 
this happen all the time. 

Mr. Bertoni. I can take a shot at that. Before you came in, I had 
a lot to say about public recordkeepers. 

I think one thing we have here, you know, issues of federalism 
in State rights, certainly. But, no, I do believe through the years 
and opportunities we’ve had to look at this, that States are becom- 
ing more aware of the value of SSN and other personally identifi- 
able information in public records. So we see, we do see movement 
in many cases of States trying to at least truncate or redact SSNs. 
Florida wholesale has redacted SSNs from their records, but there 
is variability. 

One thing that we have tried to do or perhaps suggested is per- 
haps the Association of Governors can come together and talk 
about best practices for redaction and truncation, but that will take 
some cooperation across States. 

As far as guidance, I think there is — there are good things hap- 
pening out there that States are doing. It is a matter of raising it 
up to the level of a national level where we can have a forum. And 
we have done that in various forums in testifying about what 
States are doing. 

Mr. Driehaus. But given the number of entities of State and 
local governments that are out there, there doesn’t tend to be any 
uniformity, and I guess that’s what I am trying to get at. How do 
we bring uniformity to the practices at the local level in terms of 
the availability of documents? You know, they are dealing with 
their own States’ sunshine laws in what records need to be made 
available, but how do we get to a point where there is uniformity 
at the State and local government level in terms of the information 
being made available? 

Mr. Bertoni. I don’t know if we’re going to be able to — you’re 
going to be able to direct States to either include or not include in- 
formation. I’m not — we’re getting into issues of federalism and 
State rights. But we believe there is opportunity to establish at the 
congressional level a national standard for truncation, so at least 
what’s in there will be consistent in terms of how SSNs are trun- 
cated in either the front end or back end, because right now it is 
very easy to go into any single State set of records and find, be- 
cause of variance in truncation, the front end and the back end of 
an SSN and put it together very quickly. So, step one, we have rec- 
ommended that the Congress establish a national truncation stand- 
ard. 

Ms. Broder. Mr. Driehaus, we actually submitted testimony to 
the Ohio committee that was addressing this very issue about pub- 
lic access to data and SSNs, and it is a challenging one, as Mr. 
Bertoni set out. There are some models going forward. Certainly 
the Federal court system and the bankruptcy court system have 



69 


undertaken a system to truncate from their records Social Security 
numbers and other personally identifying information for which 
there is no public value in revealing. 

Of course, we have a public interest in making — giving trans- 
parency to process, but there is a point at which some of this infor- 
mation does not serve that purpose. And so in the Federal court 
electronic system, none of this data is readily available. But there 
are many people who say that with respect to, for example, the So- 
cial Security number, the cost associated with doing this process 
retroactively is overwhelming, going through all of the records, all 
the housing records and anything else that may now be available 
electronically. It is a very costly undertaking. In other words, 
maybe the feathers are already out of the pillow, can’t put them 
back in. 

And then I would return to the issue of authentication. If compa- 
nies took better care in making sure they were dealing with the 
right person rather than just seeing a Social Security number and 
assuming that was adequate for opening an account, then the 
availability of this information would be much less of a threat. I’m 
not saying it shouldn’t be protected, but this is all part of a com- 
prehensive program to protect the data and make it less available, 
but also less useful for identity thieves. 

Mr. Bertoni. If I could add to that. You’re right, I think, in the 
case of Ohio, they sell public records to — in bulk to various ven- 
dors. So even if you were to start redacting or removing or truncat- 
ing today, those records have been sold and resold and resold al- 
ready many, many times. So going forward you could sort of stop 
this flow of SSNs in the public records. 

But keep in mind this information has already been sold to many 
vendors, and that’s where we get at the other piece of our other 
recommendations, that regardless of industry, you have to look at 
the sensitivity of the information and mandate that information be 
controlled regardless of who you are and what you’re using it for. 
Information resellers, tax preparations, telecommunications, all 
those right now are held to a lower bar in terms of information dis- 
closure and protection. 

Mr. Driehaus. Thank you, Mr. Chairman. 

Mr. Clay. Thank you, Mr. Driehaus. 

Mr. Bertoni, are there currently any plausible alternatives to the 
Social — Social Security number as a personal identifier in govern- 
ment systems? 

Mr. Bertoni. I don’t think any widely plausible alternatives cur- 
rently exist. Again, this started in 1935 with an Executive order 
that all Federal agencies were going to use the SSN for internal 
and external management of their programs. So this is longstand- 
ing, ingrained use — usage. 

I do know that there are alternatives being considered at least 
on a case-by-case basis. The health industry is starting to move 
away from the Social Security number as your identifier and as- 
signing alternative patient numbers. The Office of Management 
and Budget in 2007 directed agencies to look for alternatives to the 
SSN in assigning numbers to personnel for either travel manage- 
ment or payroll, etc. And even in GAO we have gone in that direc- 
tion; we have alternatives to the SSN. But as far as a broadly used 



70 


national number, no. And if we go in that direction, we are in the 
same position that we have to, from day one, think about how we 
would protect it. 

Mr. Clay. Yeah. Does any single Federal agency have the au- 
thority to regulate the use of the Social Security number in Federal 
information systems? 

Mr. Bertoni. Not that I’m aware of. Originally many had argued 
that SSA — SSA would be the one that would do that. But their 
view is that their regulation stops once it leaves the agency. So 
within the agency they regulate and control; once it goes to another 
Federal agency, they do not believe they have jurisdiction to tell 
that other agency what to do with the number. 

Mr. Clay. OK. Anyone else on the panel have anything to add? 
If not, let me — we will dismiss this panel and then go into recess 
for two votes on the floor, and, when we come back, swear in the 
second panel. And Members are reminded that you have up to 5 
legislative days to submit opening statements or any other mate- 
rials for the record. And, Mr. McHenry, your opening statement 
will be included without objection. 

We stand in recess. 

[Recess.] 

Mr. Clay. The subcommittee will come to order. 

On our second panel, our first witness is Ms. Catherine Allen, 
the founder and chairman and CEO of the Santa Fe Group, a stra- 
tegic consulting company based in Santa Fe, NM. The Santa Fe 
Group specializes in briefings to executives and boards of directors 
at financial institutions and other critical infrastructure companies, 
and provides management for strategic industry and institutional 
projects. 

Welcome to the subcommittee. 

Next, we will hear from Mr. Marc Rotenberg, the executive direc- 
tor of the Electronic Privacy Information Center in Washington, 
DC. He teaches information privacy law at Georgetown University 
Law Center and has testified before Congress on many issues, in- 
cluding access to information, encryption policy, consumer protec- 
tion, computer security and communications privacy. 

Welcome to you, Mr. Rotenberg. 

Our third witness is Mr. Donald J. Rebovich, the executive direc- 
tor of Utica College’s Center for Identity Management and Informa- 
tion Protection and executive director of Utica College’s Economic 
Crime and Justice Studies program. His background includes re- 
search in identity theft, economic crime, victimization, white collar 
crime prosecution, and multijurisdictional task force development. 

Thank you for being here. 

Next we will hear from Ms. Anne Wallace, president of the Iden- 
tity Theft Assistance Corp., a nonprofit corporation that operates 
ITAC, the Identity Theft Assistance Center. Ms. Wallace is a na- 
tionally recognized expert on privacy and financial services law, 
and she works to protect all consumers through consumer edu- 
cation and partners with law enforcement to combat identity theft. 

The final witness is Mr. Eric Handy, a representative for the 
Identity Theft Resource Center. Mr. Handy is an IT security and 
privacy specialist with over 15 years of information technology con- 



71 


suiting experience. He specializes in privacy and information secu- 
rity program implementation and program management oversight. 

Thank you all for appearing before the subcommittee today. It is 
the policy of the subcommittee to swear in all witnesses before they 
testify. I would like to ask you to stand and raise your right hands. 

[Witnesses sworn.] 

Mr. Clay. Let the record reflect that the witnesses answered in 
the affirmative. 

Each of you will have 5 minutes to make opening statements. 
Your complete written testimony will be included in the hearing 
record. The yellow light in front of you will indicate that it is time 
to sum up. The red light will indicate that your time has expired. 

Ms. Allen, you may begin. 

STATEMENTS OF CATHERINE ALLEN, CHAIRMAN AND CEO, 

THE SANTA FE GROUP; MARC ROTENBERG, EXECUTIVE DI- 
RECTOR, ELECTRONIC PRIVACY INFORMATION CENTER; 

DONALD REBOVICH, EXECUTIVE DIRECTOR, CENTER FOR 

IDENTITY MANAGEMENT AND INFORMATION PROTECTION; 

ANNE WALLACE, PRESIDENT, IDENTITY THEFT ASSISTANCE 

CORP.; AND ERIC HANDY, REPRESENTATIVE, IDENTITY 

THEFT RESOURCE CENTER 

STATEMENT OF CATHERINE ALLEN 

Ms. Allen. Thank you, Chairman Clay and members of the sub- 
committee. Thank for your leadership in highlighting the issue of 
victims of identity crime in the often long and lonely road they 
walk toward restoration. 

I have spent most of my career in the financial services industry, 
most recently as the founding CEO of BITS, a CEO-driven, non- 
profit financial services industry consortium. I grew up in a small 
town in Missouri, and my dad was a banker, so I have been in the 
banking industry for awhile. 

Today I am involved in efforts to examine the way the financial 
services industry is regulated and the impact of policy on consum- 
ers. In this area of identity theft, I believe we are just at the tip 
of the iceberg because of the growing cybersecurity threats we face. 
And it is why we think that a Victims Bill of Rights is necessary. 
The victim’s voice is seldom heard in the debate. 

This testimony reflects the work of the Santa Fe Group Vendor 
Council, formed in 2006 to bring together leaders at service pro- 
vider organizations. The vendor council promotes the development 
of secure, best -in-class technology solutions, standards and best 
practices related to fraud, payments, cybersecurity, data protection 
and identity crime. Last fall the vendor council formed an identity 
management working group to develop an inventory of best prac- 
tices for assisting victims of identity crime and suggesting improve- 
ments in law and corporate practice to make it easier for victims 
to dispute false claims and reclaim their identity. My testimony 
today will speak to the victims’ bill of rights and the written testi- 
mony has much other background information. 

Identity crime victims deserve the same rights as other crime 
victims. Identity crimes can be physical, emotional, and financial. 
Today, most identity crimes will be treated as misdemeanors or 



72 


very low-level felonies, and the majority of prosecutions will be civil 
as opposed to criminal actions. We need better coordination, aware- 
ness of the victim experience, and concrete steps for correcting 
identity records. 

For the benefits of individuals, business and society, we propose 
the following bill of rights for identity crime victims: the right to 
assessment; the right to restoration; the right to freedom from har- 
assment; the right to potential prosecution of the offenders; and the 
right to restitution. And I will explain a little bit on each. 

In the right to assessment, consumers who suspect that they 
have become a victim of identity theft should have the right to as- 
sess the nature and extent of damages to their identity. FACTA al- 
ready grants many of these rights, but there is sometimes proce- 
dural Catch-22s. All businesses and governmental agencies should 
be required to provide notice to consumers when they suffer a data 
breach involving loss of sensitive personal information, but the 
present patchwork of State laws and government policy needs to be 
replaced with a uniform Federal statute spelling out notification re- 
quirements. 

The right to restoration is, ideally victims should be able to re- 
store their identities to their pretheft state. However, this is not al- 
ways possible, especially with the complexity of the crime and espe- 
cially with financial identity theft. Whether or not they can fully 
recover, it is imperative that victims be able to establish correct 
records and access all of those records in all kinds of institutions. 

Relevant privacy laws need to be reviewed and amended, giving 
victims the power to access and correct their own record. 

The right to freedom from harassment comes because sometimes 
collection agencies and others during and after the identity restora- 
tion process harass the individuals. The harassment happens be- 
cause business and law enforcement have no way to distinguish 
victims from the thieves. To combat this, some States have issued 
identity theft passports to identify that the victim has been a vic- 
tim of identity theft and help the person prove his or her identity. 
However, these can be easily forged. 

So however effective the documents are, it remains to be seen, 
but some system for identifying and verifying victims is needed. 

The right to potential prosecution of offenders: One of the great 
frustrations to identity crime victims is the lack of business and 
law enforcement resources to prosecute identity theft. Again, there 
is always a need to balance priorities and budgets, but these orga- 
nizations need to take the long view in the impact of identity 
crimes — first, that identity crime continues precisely because it 
pays; second, the FBI and Secret Service have found where there 
is one victim, there are usually more, and we need to look at this 
in an aggregate; third, not all of the costs of identity crime are im- 
mediately visible or measurable. 

The right to restitution is where identity crime victims can spend 
hundreds of dollars and they deserve restitution, the same as vic- 
tims of any other crime. Yet studies show that the defendants were 
ordered to pay in only about a third of the cases. Restitution will 
help make victims whole, send a message that identity crime is a 
real crime, and helps ensure when perpetrators are caught, iden- 
tity crime does not pay. 



73 


To further help victims, the definition of compensable crime 
under Federal and State statutes should be expanded to include 
identity crimes. 

In summary, I am recommending three things in terms of pos- 
sible legislative actions, and then four other things. 

First, to enact a uniform scheme across industry and government 
to assist identity theft victims and that is to include the five items 
included in the Identity Theft Victims Bill of Rights. 

Second, to create a national standard of identification, one that 
cannot be forged by identity thieves that victims can use to distin- 
guish themselves. 

Third is to expand the definition of compensable crime under 
Federal and State law to include identity crime. 

Four other things are to invest in independent research on the 
effects of identity crime: 

We need to get beyond the anecdotes to understand the actual 
relationship between data breaches and identity theft and to be 
able to understand what policies and law enforcement procedures 
are effective. 

Second, there need to be standard dispute procedures in industry 
and law enforcement where, upon resolution, victims could receive 
standardized verifiable letters proving the issues have been re- 
solved. 

Third is the Federal Trade Commission does a terrific job in 
overseeing victims’ rights, but it could be expanded; and perhaps 
the role to make sure there is cohesiveness across national laws 
and to also make sure that law enforcement is investigating iden- 
tity crime in a consistent way. 

Last, there is much discussion, especially after today’s announce- 
ment on a consumer financial protection agency; in that dialog, the 
idea of identity theft policies and education should be included. 

We thank you for this opportunity to present testimony. And 
again, if there are any questions, I would be happy to answer them. 

Mr. Clay. Thank you for your testimony. 

[The prepared statement of Ms. Allen follows:] 



74 


STATEMENT 


CATHERINE A. ALLEN 

CHAIRMAN AND CEO , THE SANTA FE GROUP 


INFORMA TION POLICY, CENSUS, AND NA TIONAL ARCHIVES 

SUBCOMMITTEE 

OVERSIGHT AND GOVERNMENT REFORM COMMITTEE 


"IDENTITY THEFT: A VICTIMS BILL OF RIGHTS’ 


WEDNESDAY, JUNE 1 7, 2009 
2154 Rayburn HOB 
2:00 p.m. 



75 


Testimony of Catherine A. Allen 
Chairman and CEO, The Santa Fe Group 

June 17, 2009 


Introduction 

Chairman Clay, Ranking Member McHenry, and members of the Subcommittee, thank you 
for your leadership in highlighting the issue of victims of identity crime — especially those 
who are victims of the most complex and invasive of these crimes — and the often long and 
lonely road they walk toward restoration. 

I am Catherine Allen, Chairman and CEO of The Santa Fe Group, a strategic consulting firm 
specializing in emerging technologies, risk management, payments strategies, innovation 
and public policy. The Santa Fe Group is based in Santa Fe, New Mexico, and serves global 
clients. 

I have spent most of my career in the financial services industry. From 1996 to 2007, 1 was 
the Founding CEO of BITS, a CEO-driven nonprofit financial services industry consortium 
and think tank, focused on emerging technologies, fraud prevention, cybersecurity, and 
payments. Its members are 100 of the largest financial institutions in the US. BITS is now a 
division ofThe Financial Services Roundtable. 

Today I am also involved in efforts to examine the way the financial services industry is 
regulated and the impact of industry policy on consumers. These efforts include advisory 
roles in the Bipartisan Policy Center’s Regulatory Reform Roundtables and the Financial 
Services Regulatory Reform Collaborative. I also chair the advisory board of the National 
Foundation for Credit Counseling. In each of these roles, I work to explore the interaction of 
the financial services industry with consumer, economic, and regulatory issues facing our 
country and the global community. 

Today’s testimony reflects the work ofThe Santa Fe Group Vendor Council, which was 
formed in 2006 to bring together thought leaders at service provider organizations to 
respond to the needs of industry, including financial services, government, and regulatory 
agencies, and other constituents, and to encourage innovative, forward-thinking strategies 
that benefit all of us. The Vendor Council promotes the development of secure, best-in-class 
technology solutions, standards, and business processes, as well as industry best practices 
related to fraud, payments, cybersecurity, data protection, and identity crime. 

Last fall, the Vendor Council formed an Identity Management Working Group to develop an 
inventory of best practices for assisting victims of identity crime and suggesting 
improvements in law and corporate practice to make it easier for victims to dispute false 
records and reclaim their identity. A first step was the release of a draft briefing paper 
entitled Victims' Rights: Fighting Identity Crime on the Front Lines in April of this year. The 
Vendor Council continues to work on this issue. 


Testimony of Catherine A. Allen, Chairman and CEO, The Santa Fe Group 


2 



76 


Like you, Chairman Clay, I am originally from Missouri. In April I spoke to more than 300 
Missourians about identity crime at the University of Missouri along with Rick Kam, Chair 
of the Vendor Council’s Identity Management Working Group and President of member 
company, ID Experts. 

While the Internet has brought tremendous local and global opportunities, the proliferation 
of its use by criminals has endangered ordinary Americans in new ways. I'm speaking in 
particular about the financial health and privacy of the average American. 

Identity crime is a global economic problem. It is a low-overhead, high-margin business for 
criminals and can be performed from a distant location; indeed, not just across a state or a 
country, but from another continent. Identity theft can also be perpetrated right in your 
own backyard, from "dumpster diving" to mail theft, to people who prey on unsuspecting 
relatives with whom they share a home. The reason I focus in part on data breaches today 
is that identity theft is increasingly perpetrated on a large scale by sophisticated organized 
criminals around the globe who no longer have to risk bodily harm to perpetrate their 
crime. They just need a computer and a sophisticated understanding of information 
technology systems. Crimes targeting ordinary Americans originate in the Ukraine, Nigeria, 
and other far-flung locations around the globe. And I believe what we're seeing now is just 
the tip of the iceberg. 

Millions of dollars are being poured into efforts to halt identity theft. This is appropriate. 
That said, I believe that the discussion of identity theft too often leaves one important voice 
out of the debate: the victim. It is on behalf of victims’ rights that I come to testify before 
you today. 

Identity crime losses are expected to grow exponentially as more and more crimes put 
victims in the middle of large-scale cybersecurity attacks. Many of these attacks will not be 
discovered for years, placing the victims in the most vulnerable position. When 1 last 
testified before you on one panel, the CIO of the State of Missouri talked about the theft of 
student information from the U niversity of Missouri's law and medical schools. The 
criminals, who were apprehended, said they planned to hold the information for ten years, 
and then use it to perpetrate identity crime against those students, who by then were likely 
to have significant assets. 


The Victim Experience 

Victims of true identity crime, which goes far beyond theft and one-time use of a credit or 
debit card, often suffer financially and may bear a significant burden in time spent 
recovering. Various studies put the expense to victims at anywhere from $0 to $950 and 
the time spent at anywhere from four to 165 hours. Many victims have their credit card 
applications denied or their existing accounts canceled; others are denied loans or lines of 
credit Children’s identities are stolen before they’re old enough to write their own names, 
leaving parents to sort out the problem and dean up their records. Given the state of the 


Testimony of Catherine A. Allen, Chairman and CEO, The Santa Fe Group 


3 



77 


economy, this all adds up to a tremendous hardship at a time when individuals and families 
are already suffering. Indeed, low-income families in particular suffer when identity crime 
strikes. 

In spite of consumer protection laws, identity crime victims, especially those who are 
victims of complex and invasive forms of identity crime, are often thwarted in recovering 
and restoring their own identities. Many victims face a complex and disjointed maze, 
however well-intended, of privacy laws, public and private information sources, and 
financial, law enforcement and other organizations, each with distinct rules and priorities. 
As a result, a victim's life can be disrupted for years. In addition to financial losses from 
identity crime, businesses experience lost productivity and consumer distrust. In cases of 
medical identity theft, misinformation may become part of a person’s medical record, 
potentially endangering their health and well-being and the integrity of our electronic 
healthcare system in general. 

Our focus on victims' rights is an attempt to bring awareness to the plight of individuals 
whose information is stolen for the express purpose of identity theft. Too often identity 
crime is treated as victimless, which it is certainly not 

Although legislative and law enforcement responses to identity crime are evolving, victims 
still lack adequate protection and support, with at times devastating effects. Here are just a 
few examples of the challenges and frustrations experienced by some identity crime 
victims: 

• The victim may not realize a crime has occurred for months or even years, by which 
time his or her financial, medical, and civil identities may all have been damaged. A 
report by the Economic Crime Institute of Utica College and LexisNexis found that 
20% of identity theft resulted in multiple crimes. 

• The victim may have to deal with a confusing array of businesses and institutions. 

To help correct records, victims may request written documentation of identity 
misuse, but financial, medical, or other organizations sometimes refuse on the basis 
of current privacy laws that protect data but do not necessarily permit access to 
data, or they may insist on being provided proof from law enforcement or some 
other organization that a crime has occurred. 

• Some states now have legal requirements that victims file a police report. (Victims' 
rights groups have advocated for these laws to help real victims while preventing 
fraudsters and pretexters from using false claims to access sensitive information for 
improper purposes.) But law enforcement processes are not always in place, so 
when victims try to file a report with police, they may be told that they don't need to 
file a report or that they need to talk to one or more additional departments. And 
many individual identity crimes fall below the financial threshold that would trigger 
federal, state, or even local law enforcement agencies to act. Unfortunately, this 
permits large organized crime identity theft scams to go undetected for months and 
years, adding one individual identity theft victim after another. 


Testimony of Catherine A. Allen, Chairman and CEO, The Santa Fe Group 


4 



78 


• Law enforcement may not prosecute identity theft crimes. And even if convinced 
that transactions are fraudulent, some businesses won’t pursue or prosecute thieves 
when it doesn't make financial sense to do so. 

• In some cases, victims are suspected of claiming identity theft to avoid paying 
legitimate charges. Victims may be required to establish that a crime has occurred. 
When victims are already in debt, some financial institutions may be predisposed to 
accuse them of scamming. 

• Many organizations won’t share evidence with victims. A victim may not be allowed 
to see applications submitted in his or her name, even though these documents 
could help the victim locate and stop the identity thief. Access to data held about an 
individual is one of the global privacy principles that has not yet been implemented 
into US laws as it has in other countries. 

• Privacy laws make medical identity theft even harder to combat. Medical 
institutions are required by the Health Insurance Portability and Accountability Act 
(H1PAA) to protect patient information, and some organizations believe that applies 
even if that patient is being treated under a false identity, making it very difficult for 
victims to remove misinformation from their medical records. The Department of 
Health and Human Services (HHS) is attempting to educate the medical community 
that HIPPA does not intend to restrict patients from changing false data. 

• If criminal acts are committed under a stolen identity, the first news a victim often 
has of the theft may be when he or she is arrested. And if a person is falsely arrested 
or if a pre-employment background check incorrectly indicates a criminal record, 
the victim may need to go through a "reverse booking,” which requires the person to 
prove his or her innocence. 

In addition to these obstacles, there are significant non-monetary effects on identity crime 
victims when the crimes are complex, just as there are in violent crimes. Victims often 
receive little emotional support from family, friends, colleagues, and employers who don’t 
understand the challenges of identity recovery. According to a 2008 report by the Identity 
Theft Resource Center, identity crime victims that responded to their survey expressed 
feelings of rage, anger, and betrayal; the sense that they were powerless; personal financial 
fears; and feelings of loss of innocence. They also reported sleep disturbances and an 
inability to trust other people. Long-term emotional responses included suicidal thoughts 
(4%), the desire to give up and stop fighting the system (25%), and the feeling that they 
had lost everything (10%). 


Testimony of Catherine A, Allen, Chairman and CEO, The Santa Fe Group 


5 



79 


Public and Private Sector Efforts to Help Victims 

A number of government and industry organizations deal with identity crime in some 
capacity. These efforts represent substantial steps in responding to identity crime and 
assisting victims. 

The Federal Trade Commission (FTC) is the center of public outreach efforts, providing 
consumers with information on identity theft scams, steps to take if you think you’re a 
victim, a recovery toolkit, and other resources through its website and support center. The 
website offers comprehensive identity crime information, from a quiz for consumers to 
gauge their identity crime knowledge to in-depth reports, guides for businesses and 
information about the President’s Identity Theft Task Force. In addition, the FTC has made 
recommendations to Congress on limiting the use and display of Social Security numbers, 
provided training to law enforcement and others who can assist identity theft victims, and 
enforced new identity-theft related rights under the Fair and Accurate Transactions Act, 
such as the right to free annual credit reports. 

The Department of Justice (DOJ) prosecutes identity crimes, working with the FBI, US 
Secret Service and the US Postal Inspection Service. Its website offers information for 
consumers about identity crime, including what to do if you think you may be a victim. The 
DOJ is part of the Interagency Working Group on identity theft and works with the FTC and 
other agencies that have a stake in identity crime. 

The Social Security Administration (SSA) presents an electronic fact sheet for consumers 
and works with the FTC and other government agencies to prosecute identity crime 
involving Social Security. The agency also provides some victim services such as 
replacement of lost or stolen Social Security cards, corrections to earnings records and, in 
special circumstances, issuance of a new Social Security number. 

In addition to these government agencies, there are several private-sector organizations 
aimed at helping consumers. The Identity Theft Resource Center (ITRCJ, which is also 
giving testimony today, is a private not-for-profit that conducts research; advises 
policymakers, law enforcement and businesses; and provides consumer and victim support 
as well as public education. 

The Identity Theft Assistance Center (ITACJ was created in 2004 by 50 of the nation’s 
largest financial services companies under the sponsorship of BITS and The Financial 
Services Roundtable. Today the ITAC provides free victim assistance and has helped more 
than 55,000 consumers restore their financial identity. 

The Privacy Rights Clearinghouse is a nonprofit consumer education and advocacy project 
that advocates for consumers’ privacy rights in public policy proceedings, and the 
Electronic Privacy Information Center (EPIC] is a public interest research center 
established “to focus public attention on emerging civil liberties issues and to protect 
privacy, the First Amendment, and constitutional values.” 


Testimony of Catherine A Allen, Chairman and CEO, The Santa Fe Group 


6 



80 


While all of these efforts are meaningful and do help, much more can and should be done to 
help victims. 


The Legislative Landscape 

Lawmakers have been aware of identity theft since the late 1990s. There are several 
federal laws related to identity crime. There are also hundreds of state laws on identity 
crime that vary widely in their approach. 

Federal legislation on identity crime includes: 

Identity Theft Enforcement and Restitution Act of 2008 

This legislation makes it easier to bring hacking and other cybercrime charges against an 
individual, eliminating the federal requirement that prosecutors show the crime caused at 
least $5,000 in damages. In addition, this law makes it possible to bring felony charges 
against multiple offenders, allows crimes committed within a single state to be prosecuted 
in federal courts, and directs the U.S. Sentencing Commission to review its guidelines and 
consider increasing the penalties for those convicted of identity theft, computer fraud, 
illegal wiretapping, or breaking into computer systems. 

GLBA and Financial Services 

The Gramm-Leach-Bliley Act [GLBA), aimed at the financial services industry, provides 
significant privacy protections against the disclosure of nonpublic personal information. 
GLBA includes safeguards such as: certain data, such as account numbers, cannot be used 
for marketing under any circumstances; nonpublic personal information may not be 
disclosed unless consumers are given notice of information-sharing policies and the 
opportunity to opt-out of information-sharing activities; and financial service providers are 
required to employ data security safeguards to protect personal information. Financial 
institutions are also required to provide notice of data breaches. 

HIPAA and Medical Privacy 

Enacted to protect health insurance coverage for workers and their families when they 
change or lose their jobs, the Privacy Rule of HIPAA establishes regulations for the use and 
disclosure of Protected Health Information (PHI), which includes any information about 
health status, provision of healthcare, or payment for healthcare that can be linked to an 
individual. In practice, PH! is taken to include any part of a patient's medical record or 
payment history. Congress recently enacted legislation requiring entities that maintain PHI 
to notify individuals in case of a breach. The FTC and HHS are currently promulgating their 
own rules to implement this requirement. 

FACTA and the Red Flag Rule 

The Fair and Accurate Credit Transaction Act of 2003 (FACTA) added new sections to the 
Fair Credit Reporting Act (FCRA) granting consumers the right to free credit reports, the 
right to place fraud alerts on credit accounts, and the right to obtain copies of fraudulent 
documents and to obtain debt information from collections agencies. FACTA also allows 


Testimony of Catherine A. Allen, Chairman and CEO, The Santa Fe Group 


7 



81 


consumers a right to an Identity Theft Report that can empower the consumer to block the 
reporting of fraudulent data by credit reporting agencies and data furnishers; it can also be 
used to require collection agency activity to stop. Under the terms of the Red Flag Rule of 
FACTA, all financial institutions and creditors will be required to have a program in place to 
prevent and mitigate the effects of identity theft. The FTC has published guidelines on 
recognizing identity theft and established 26 red flags that financial institutions should 
consider when creating their mandatory identity theft programs. 

Government Requirements on Data Breach 

According to a memorandum issued February 4, 2008, from the U.S. Office of Management 
and Budget: "In the event of a data breach, government agencies [must] promptly conduct a 
risk analysis and be prepared to submit a report containing the findings to the 
Congressional Oversight Committees of the U.S. Senate and House of Representatives, as 
appropriate." As indicated, government data breach policies focus on assessment with an 
occasional nod towards victim notification and credit protection. Faced with limited 
resources, government agencies are focused mainly on preventing large-scale data breach 
incidents. 

Additionally, the Privacy Act of 1974, which focused on government acquisition of data on 
US citizens, established a penalty for data breaches and the right of individuals to request 
release of their information. 

REAL ID Act 

Under the Real ID Act, states are encouraged to implement more secure drivers' licenses. 

In conformance with federal requirements, states are instituting more secure forms of 
personal identity (driver's licenses, etc.}. Many now require additional "breeder 
documents” to establish identity (such as passports and certified birth certificates), and 
they use secure manufacturing processes and incorporate watermarking, holograms, or 
other advanced security features into the documents. 

State Laws on Identity Crime 

Currently, 44 states have laws requiring that an organization notify every person whose 
privacy was compromised when customer or employee data is lost or leaked. (Generally 
these apply to unencrypted personal information.) While the requirements vary by 
industry and jurisdiction, failure to notify will put most organizations at risk of legal and 
financial penalties. Some states are also issuing "identity passports” to identity theft 
victims, certifying that their identity has been stolen, and helping protect them from false 
arrest and other risks. How effective these documents are remains to be seen. A number of 
states have taken steps to implement information security laws, notably Massachusetts, 
where all types of organizations — not only financial institutions — that process personal 
information on Massachusetts residents will be required to have a comprehensive 
information security program in place beginning January 1, 2010. This program was 
created to meet a number of prescriptive requirements. 

A number of bills are pending right now that would be appropriate vehicles for victims’ 
rights provisions. We look forward to providing our expertise at the appropriate time to 


Testimony of Catherine A. Allen, Chairman and CEO, The Santa Fe Group 


8 



82 


ensure upcoming legislation includes language that protects the rights of identity crime 
victims. 


An Identity Crime Victims Bill of Rights 

Identity crime victims deserve the same rights as other crime victims. Identity crimes can 
have physical, emotional, and financial impacts comparable to other crimes. While much is 
being done in the private and public sectors to help victims, we still lack adequate 
provisions for restoration, reparation, or even prosecution. Today, most identity crimes 
will be treated as misdemeanors or very low-level felonies, and the majority of 
prosecutions will be civil as opposed to criminal actions for both individuals and organized 
crime thefts. We need better coordination, awareness of the victim experience, and 
concrete steps for correcting identity records. 

For the benefit of individuals, business, and society, I propose the following rights for 
identity crime victims: 

• The right to assessment 

• The right to restoration 

• The right to freedom from harassment 

• The right to potential prosecution of the offenders] 

• The right to restitution 

Below are some concrete steps that policymakers can take towards empowering victims to 
stem the tide of identity crime. 

Right to Assessment 

Consumers who suspect they have become a victim of identity crime should have the right 
to assess the nature and extent of damage to their identity. FACTA already grants many of 
these rights, but consumers face procedural Catch-22s when trying to exercise them. For 
example, consumers often must present a bank with a police report before they can 
retrieve the information needed to assess their situation, but most police departments 
won’t take a report without evidence of a crime. (The policing community, including the 
International Association of Chiefs of Police, has increasingly recognized the need to take 
such reports, and more police departments around the country are doing so.] Businesses 
and law enforcement need effective, uniform requirements and processes for handling 
identity theft cases, and relevant privacy laws must be reviewed and amended to protect 
identity crime victims instead of thwarting their recovery. 

Businesses and government agencies should be required to provide notice to consumers 
when they suffer a data breach involving loss of sensitive personal information. The 
present patchwork of state laws and government policy needs to be replaced with a 
uniform federal statute spelling out notification requirements. Clear guidelines would help 
businesses contain costs and limit legal liability through compliance and enhance 


Testimony of Catherine A. Allen, Chairman and CEO, The Santa Fe Group 


9 



83 


consumer protection. Any federal law should contain a "safe harbor” provision for small 
businesses, setting their notification requirements at an affordable level with scalable data 
security safeguard requirements. 

Right to Restoration 

Ideally, victims should be able to restore their identities to their pre-theft state. However 
this is not always possible because of the complexity of the crime, especially in cases of 
financial identity theft. Whether or not they can fully recover, it is imperative that victims 
be able to establish correct records. Relevant privacy laws need to be reviewed and 
amended, giving victims the power to access and correct their own record in cases of 
identity crime. One issue up for debate is how to provide the right of consumer access and 
correction without jeopardizing the integrity and reliability of the underlying records. T o 
empower consumers and ease companies' fears about liability, lawmakers and industry 
could charter an organizational entity that operates across the public and private sectors 
and validates identity, just as credit bureaus and Public Key Infrastructures perform 
similar services around identity today. This model could be tested initially as a private 
service, but it ultimately needs to be publicly available. 

As with the right to assessment, identity restoration would be far simpler if we could do 
away with the patchwork of state laws and create one federal standard. Businesses support 
this notion, because it will limit their liability, simplify processes, and mitigate costs. 

Right to Freedom from Harassment 

Identity crime victims should be protected from harassment by collection agencies and 
others during and after the identity restoration process. Harassment often continues 
unabated because business and law enforcement have no way to distinguish victims from 
debtors and thieves. To combat this some states are issuing identity theft "passports” to 
verify that the carrier has been a victim of identity theft and help the person prove his or 
her identity. How effective these documents are remains to be seen. (The DOJ's Office for 
Victims of Crime funded the Ohio Attorney General’s identity theft passport program as a 
demonstration program, but the department has not yet fully evaluated the program's 
effectiveness.) In any case, victims desperately need a reliable way to identify themselves 
and prove they are who they say they are. 

Right to Potential Prosecution of Offenders 

One of the great frustrations to identity crime victims is the lack of business and law 
enforcement resources to prosecute identity thieves. Of course, law enforcement needs to 
balance priorities and budgets, and business must weigh the costs and benefits of 
prosecution. However, these organizations need to also take the long view on the impact of 
identity crimes: 

• First, identity crime continues precisely because it pays. If prosecution stops the 
payoff, it will help to deter the crime and contain future costs. 

• Second, the FBI and Secret Service have found that where there is one victim, there 
are more. So instead of writing off the costs of an individual case, organizations 


Testimony of Catherine A Allen, Chairman and CEO, The Santa Fe Group 


10 



84 


should consider that for every instance of identity crime, there may be many others 
as yet undiscovered or yet to be committed by the same crime ring or individual. 

• Third, not all the costs of identity crime are immediately visible or measurable. This 
fact needs to be taken into account when weighing the costs of prosecution. There 
should also be increasing accountability for businesses that fail to reasonably secure 
personal information. Today many states and certain industries have notification 
requirements for data breach. Other states are taking steps to implement 
information security laws, and certain sectors (healthcare and financial) have 
safeguards rules in place. 

Right to Restitution 

Identity crime victims can spend hundreds of dollars and dozens of hours, and can 
experience untold misery during the process of restoration. They deserve restitution, the 
same as victims of other crimes, yet a study by the Center for Identity Management and 
Information Protection shows that defendants were ordered to pay restitution in only 
about a third of the cases studied. Restitution will help make victims whole, sends a 
message that identity crime is real crime, and helps ensure that when perpetrators are 
caught, identity crime does not pay. 

The need for restitution has begun to be addressed at the national level through the 
Identity Theft Enforcement and Restitution Act of 2008, which makes it easier for victims 
to claim compensation from convicted offenders. The law states that in cases where 
convicted identity thieves are ordered to pay restitution, the victim should get a portion of 
the money "equal to the value of the time reasonably spent by the victim in an attempt to 
remediate the intended or actual harm incurred by the victim from the offense.” 
Compensation for time is only a start, but it is a good start. To further help victims, the 
definition of "compensable crime" under federal and state statutes should be expanded to 
include identity crimes. Finally, the Department of Justice has specific statutory obligations 
with respect to crime victims, including restitution. However, in many cases full restitution 
is effectively impossible where the cost to the victim substantially exceeds a convicted 
offender's financial resources. 


Recommendations for Protecting Victims’ Rights 

In summary, my testimony today advocates for the following legislative actions to help 
victims: 

• Do away with the patchwork of state laws for identity restoration and create 
one federal standard. 

• Require a federal standard for mandatory law enforcement breach reporting 
for all sectors and cost-effective breach notification to consumers. 

• Enact a uniform scheme across industry and government to assist identity 
theft victims: include assessment, rectification, freedom from harassment, 
authentication, and protection of information for victims. 


Testimony of Catherine A. Allen, Chairman and CEO, The Santa Fe Group 


11 



85 


• Create a national standard of identification — one that cannot be forged by 
identity thieves — that victims can use to distinguish themselves from thieves 
and identify themselves to businesses, law enforcement and others. 

• Expand the definition of "compensable crime" under federal and state law to 
include identity crime. 

Additionally, these steps could be taken right now to strengthen victims’ rights and help 
stem the tide of identity theft: 

1. Invest in independent research on the effects of identity crime. To make fully 
informed decisions, we need a thorough understanding of the costs of identity crime. We 
aren't prepared to create comprehensive, effective solutions because there are too many 
unanswered questions about what’s happening in policy, industry, and law enforcement. 
Organizations should be tracking the costs of identity theft, and there should be public 
funding available to assess the effectiveness and effects of policy, either built into 
legislation or in the budgets of organizations such as the Department of Justice and FTC. 
Independent research could lead to improved practices, better education, evidence-based 
policy, and better ways to authenticate people’s identities when conducting public or 
private transactions. 

2. Create standard dispute procedures in industry and law enforcement. Upon 
resolution, victims would receive standardized, verifiable letters proving that issues had 
been resolved. 

3. Empower the FTC to oversee victims’ rights. The FTC should be charged with 
oversight of proposed policies for cohesion across national laws for effectiveness, and to 
anticipate and prevent unexpected consequences. This should include ensuring that law 
enforcement is investigating identity crime cases consistently and effectively. This 
approach would work in concert with the efforts of programs such as the Social Security 
Administration, the Pentagon and Veterans Administration, Homeland Security, Medicare, 
and others to create consistent policies and processes regarding identity theft. 

4. Include identity theft victims’ rights in any dialogue about a Financial Product 
Safety Commission. If a proposed commission focused on financial products and services 
emerges, financial identity theft policies and education might be considered under its 
jurisdiction and should be included in the dialogue. 


Conclusion 

Mr. Chairman, many victims of identity crime suffer greatly in the aftermath of this crime. 
They continue to receive constant reminders of the crime as new information surfaces 
about the misappropriation of their identity. To make matters worse, policy and protocols 
often fail to meet their recovery needs. 


Testimony of Catherine A. Allen, Chairman and CEO, The Santa Fe Group 


12 



86 


Establishing a Victims Bill of Rights and including it in consumer protection legislation is a 
fundamental first step in achieving awareness, consensus and the collaboration required to 
develop practical solutions. 

Thank you for this opportunity to present on the plight of victims and the Victims Bill of 
Rights, and thank you, again, for your leadership in bringing light to this important issue. 
Our group stands as a ready resource to you and the other members of this committee as 
you consider ways to protect and support victims of identity crime. 


Testimony of Catherine A Allen, Chairman and CEO, The Santa Fe Group 


13 



87 


Mr. Clay. Mr. Rotenberg. 

STATEMENT OF MARC ROTENBERG 

Mr. Rotenberg. Mr. Chairman, I appreciate the opportunity to 
testify today on this very important issue for American consumers. 

My organization, the Electronic Privacy Information Center, has 
been working on the issue of identity theft almost since our found- 
ing 15 years ago. In fact, I was going to mention to Mr. Driehaus 
that one of our first cases concerned the privacy of the Social Secu- 
rity numbers of employees in the State of Ohio, and we succeeded 
in that case. They limited the use of — the publication of the SSNs, 
but that continues to be a very serious problem. 

My comments today are directed toward what we see as the root 
causes. On the first panel you heard from the Federal Trade Com- 
mission. They talked about how they are assisting the victims of 
identity theft after they run into problems. 

The Department of Justice is prosecuting the crime after the 
crime occurs, but in our opinion, not enough is being done to ad- 
dress the root causes of the identity theft problem. And so in my 
statement, which I will briefly summarize now, I am going to try 
to speak to that issue and suggest specifically for this committee 
some steps you might take to reduce the problem of identity theft 
in this country. Because, as you know, not only is it a significant 
problem, but in fact the No. 1 concern of American consumers. Ac- 
cording to the Federal Trade Commission, it is a growing problem 
and that number has been increasing since the FTC has been keep- 
ing track of it. 

And it is an evolving problem. I think we are about to experience 
new forms of identity theft. The Wall Street Journal, for example, 
reported just this week about an identity theft investigation in Los 
Angeles involving improper use of medical records information. We 
will hear more about that as more of our personal medical informa- 
tion is digitized and made available online. 

So I would like to address five steps I believe the committee 
could take to try to reduce the problem at its source. 

One of the concerns today, I believe, should be the increasing 
transfer of information within the government onto the Internet. 
You’ve already heard about people getting access to public record 
information that contains Social Security numbers and bank ac- 
count numbers. 

There is a big push right now in the Federal Government to take 
advantage of some of the new Web 2.0 services; and we certainly 
support the President’s call to make public information more wide- 
ly accessible to the public, but we think that privacy protection has 
to be part of that process. Privacy issues have not been given 
enough attention so far in this new push to make Federal informa- 
tion available online. We hope more can be done. 

We think there are similar concerns with respect to the 
outsourcing of government services. A lot of personal data is moved 
from government agencies to private contractors, and it is not al- 
ways clear if those contractors are subject to privacy act obligations 
or other contractual obligations to protect the personal information 
of the U.S. citizens that they now have obtained. 



88 


You may recall, in fact, Mr. Chairman, last year in the run-up 
to the Presidential election, there was the case over at the State 
Department involving the passport records of then Senator Obama 
and Senator Clinton and Senator McCain that were all improperly 
accessed by private contractors. That is closely tied to the issue of 
identity theft, and we believe it is an issue that this committee 
could look at. 

Privacy legislation is a very important part of the way to get to 
the root cause of the problem. It is simply too easy today for com- 
panies to collect a lot of detailed information about Americans. 
They have too few responsibilities, and it is too difficult, I believe, 
for Americans to protect their information once they have turned 
it over to a bank or to some other firm. 

What privacy legislation will do is put some obligations on those 
companies to ensure better security, better safeguards. And also, I 
hope it will get some of those companies to think about whether 
it is such a good idea to collect Social Security numbers, which we 
know will be the target for identity thieves who are trying to get 
access to that information. 

If fewer organizations in this country were collecting the Social 
Security number and using the Social Security number, we think 
the problem of identity theft would go down. 

We would also like to see more emphasis on privacy protection 
in the administration’s focus on cybersecurity. There is a lot of talk 
right now about strengthening the Nation’s infrastructure. Part of 
that has to be about the protection of personal information that is 
being stored on computers and servers in the United States. 

Finally, Mr. Chairman, I would like to raise one issue; it is a lit- 
tle bit futuristic, but at the same time we believe it goes to the 
heart of the problem, and it is going to be with us for some time. 
We think Americans need better tools for identity management. By 
that I mean, we need better ways for people to interact with gov- 
ernment, for people to interact with businesses without being re- 
quired to disclose so much personal information or to give up a 
number that links together all of their personal information. 

That is the essential problem with the Social Security number: 
It links together too much data. We think new tools for identity 
management could help address that problem as well. 

Thank you again for this opportunity. 

Mr. Clay. Thank you for your testimony. 

[The prepared statement of Mr. Rotenberg follows:] 



89 



IlfCTRORIC PRIVACY I H f • 8N AT I 0 8 CEATER 


Testimony and Statement for the Record of 


Marc Rotenberg 
Executive Director, EPIC 

Hearing on 

"Identity Theft: A Victim’s Bill of Rights" 


Before the 

United States House Committee on 
Oversight and Government Reform, 
Information Policy, Census and 
National Archives Subcommittee 


June 17, 2008 

Room 2154, Rayburn House Office Building 
Washington, DC 


90 


Mr. Chairman and Members of the Committee, thank you for the opportunity 
to testify today on "Identity Theft: A Victim’s Bill of Rights.” My name is Marc 
Rotenberg and I am Executive Director of the Electronic Privacy Information Center. 
EPIC is a non-partisan, public interest research organization, focusing on emerging 
privacy and civil liberties issues. EPIC has particular interest in the problem of 
identity theft and we appreciate the interest of this Committee in this very 
important topic. 

The problem of identity theft in the United States is substantial, growing and 
evolving. According to the Federal Trade Commission, identity theft is the number 
one concern of American consumers. And it is on the rise. Further, what was once 
understood as a financial crime is now entering other realms. Medical identity theft 
is a growing problem. And problems may soon emerge with many of the new web- 
based government services unless the problem of identity management is not 
adequately addressed. 

Several steps have been taken to assist the victims of identity theft and to 
prosecute criminals. But in our opinion, none of these efforts get to the root causes 
of the problem. The Federal Trade Commission assists consumers after they believe 
they have been victims of identity theft. The Federal Bureau of Investigation 
investigates cases of identity theft after the crime has occurred. Even the former 
President’s Identity Theft Task Force focused primarily on expanding prosecutorial 
authority rather than reducing the likelihood that the crime would occur. While the 
FTC’s “Red Flags Rule" is a step in the right direction, more should be done to 
prevent Americans from becoming identity theft victims. 

In my testimony today, I will outline the elements of a more comprehensive 
strategy to address the problems of identity theft. The strategy highlights the new 
forms of identity theft, draws on several proposals already under consideration in 
Congress, considers how technology could give individuals greater control over 
their personal credentials, and avoids the tendency to deal with the problem after it 
has occurred. 

In the end, I believe that our goal should be to reduce the number of people 
who are victims of identity theft. But that will require getting to the source of the 
problem and reducing the opportunities for the crime to occur. 

I. The Problem of Identity Theft 

If a person steals cash from your wallet or a camcorder out of the back seat of 
your car, you are generally aware of the crime, can quickly assess the damages, and 
are unlikely to suffer any greater harm. The cash is gone. The camcorder is gone. But 
that is the extent of the loss. That is the end of the story. 


House Oversight Committee 
Identity Theft 


1 


EPIC Testimony 
June 17, 2009 



91 


If a person obtains your credit card number or obtains the credentials that 
allow you to open a bank account, to receive medical care, or to access a web site, it 
is very different story. First, you probably will not know when the theft has 
occurred. Second, you probably will not know when you are harmed. Third, even if 
there is an investigation, it is unlikely that you will be able to continue to use the 
credentials as you have in the past. New accounts will be established, new numbers 
will be created. But the fraudulent transactions will linger and the ongoing harm to 
your credit record, your medical records, even your web access remains. 

The loss of control over the credentials that make it possible for us to engage 
in financial transactions, receive medical care, or even communicate online poses a 
very different problem than the hazards associated with traditional theft As others 
have noted, identity theft is both a crime and it facilitates further crime. Public 
concerns about identity theft are widespread. Identity theft ranks first on the FTC's 
2008 survey of consumer complaints. 1 An April 2007 Zogby Interactive Survey 
"found that ninety-one percent (91%) of adult users on the Internet are concerned 
that their identities may be stolen (including fifty percent (50%) who are very 
concerned)." 2 As of June 2005, forty-eight percent (48%) of consumers avoided 
making purchases on the internet because they feared that their financial 
information might be stolen. 3 Consumers’ concerns are well founded. Identity theft 
complaints exceeded 300,000 in 2008. 4 The A FTC study estimates that identity 
theft costs Americans approximately $15.6B annually. 5 

Both businesses and government need to consider how best to provide 
services while minimizing the risk that personal information will be misused. 

II, Med i cal ,ld_£ n tjtyThfift 

The problem of identity theft is not limited to financial fraud. Medical 
identity theft takes place when a fraud utilizes an individual’s personal identity to 
take advantage of insurance benefits, to gain free medical services, or even to create 
fake claims for financial assistance using the individual’s identity. There have been 
19,428 complaints regarding medical identity theft to the Federal Trade 
Commission since January 1, 1992, the earliest date the FTC began recording such 


1 Federal Trade Commission, FTC Releases List of Top Consumer Complaints in 2008, 
http://www.ftc.gov/opa/2009/02/2008cmpts.shtm. 

2 Zogby Poll: Most Americans Worried About Identity Theft, available at 

www,zogby.com/search/readnews.dbm?ID=1275 cited by Prepared Statement of the Federal Trade 
Commission House Committee on the Judiciary on Protecting Consumer Privacy and Combating Identity 
Theft, Before the Subcommittee on Crime, Terrorism, and Homeland Security (December 18, 2007). 

3 Cyber Security industry Alliance, Internet Security Voter Survey (June 2005) at 9 available at 
https://www.csialliance.org/publications/surveys_and_polls/CSIAJnternet_Security_SurveyJune_2 
005.pdf. 

4 Federal Trade Commission, FTC Releases List of Top Consumer Complaints in 2008, 
http://www.ftc.gov/opa/2009/02/2008cmpts.shtm. 

5 Federal Trade Commission, Federal Trade Commission - 2006 Identity Theft Survey Report, 
available at http://www.ftc.gov/os/2007/ll/SynovateFinalReportIDTheft2006.pdf. 

House Oversight Committee 2 EPIC Testimony 

Identity Theft June 17, 2009 



92 


complaints. 6 According to the World Privacy' Forum, "hiedical identity theft victims 
need an expanded right to correct their medical files in order to recover from this 
crime, and need more specialized consumer education that is focused on correcting 
the specific harms of medical identity theft." 7 

It is particularly important to implement safeguards against medical identity 
theft because the damage arising from the crime is severe, and recent efforts to 
digitize all medical records exposes increasing numbers of Americans to risk. The 
American Recovery and Reinvestment Act of 2009 establishes a National 
Coordinator for Health Information Technology, who is tasked with developing a 
“nationwide health information technology infrastructure that allows for the 
electronic use and exchange of information." 8 The law also provides for the 
expenditure of substantial federal funds to enhance the infrastructure for electronic 
health records. 9 

Although a transition from a paper system to an electronic system may be 
inevitable, "the transition must be done correctly and with an acknowledgement of 
risks such as those medical identity introduces, in mind." 10 Digitized patient records 
and the National Health Information Network in particular create two significant 
problems in the context of medical identity theft. The National Health Information 
Network "may make individuals more vulnerable to medical identity theft by 
making personally identifiable health information more accessible to criminals who 
have already learned how to work inside the health care system." 11 Digitized 
information is much more portable and lends itself to rapid transmission. These 
attributes are generally viewed as beneficial - they enable patients and health care 
providers greater access to medical records. However, in the hands of identity 
thieves, these benefits can become liabilities. Identity thieves can steal and transmit 
patients' health insurance data with the same ease that pathologists transfer 
patients’ test results to treating physicians. 

In the online context, consumers have little understanding of the risk of 
identity theft. Identity thieves continue to succeed through phishing, pretexting, and 
spyware and the mere lack of attention by consumers. This lack of attention clearly 
goes hand in hand with consumers’ lack of knowledge regarding the true dangers 
that may be present. Users are often focused on their primary tasks, and may not 
notice security indicators or read warning messages. 12 Additionally, lack of attention 


6 World Privacy Forum, Medical Identity Theft: The Information Crime that Can Kill You (May 3, 
2006) available at www.worldprivacyforum.org/pdf/wpf_medicalidtheft2006.pdf. 

7 Id. 

8 The American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5 § 3001 (2009). 

9 Id. at §§ 3011,3018. 

10 supra note 7. 

11 Id. 

12 Id. at 3. 


House Oversight Committee 
Identity Theft 


3 


EPIC Testimony 
June 17, 2009 



93 


to the absence of security indicators can be just as threatening. Users can easily 
overlook indicators for pages not protected by SSL 13 

111. Recommendations 

1 ) Government Needs to Consider Privacy Protection in the Development of 

Web 2.0 Services 

We strongly support the recommendations of the Government Accountability 
Office to improve the security of agency databases that contain personal 
information. As the GAO noted, "The first key step is to develop a privacy impact 
assessment--an analysis of how personal information is collected, stored, shared, 
and managed-whenever information technology is used to process personal 
information." 14 The GAO also recommends that agencies establish robust 
information security programs as required by the Federal Information Security 
Management Act (FISMA) of 2002. 

The problem is that the federal government is now moving forward with a 
series of recommendations to expand public access to government information 
without adequately considering the privacy consequences. 15 While we favor the 
President's call for increased collaboration, participation, and dissemination of 
government information, it is equally important to ensure that these programs do 
not jeopardize important privacy interests. 

EPIC has made specific recommendations to the Department of Homeland 
Security and to the Office of Science and Technology Policy to address some of these 
challenges. 16 Specifically, we said that the government should: 

t 

• Stop the Commercialization of Personal Data Held By Government Agencies 

• Don't Track Users on Government Web Sites 

• Apply the Privacy Act to All Data Collected by the Government and 

Government Contractors 

• Apply Meaningful Rules for Public Comment Across All Platforms 

• Promote Open Government and Protect Privacy 


13 Id. at 3. 

14 Privacy; Preventing and Responding to Improper Disclosures of Personal Information: Summary. 
U.S. Government Accountability Office, http: //www.gao.gov/products/GA0-06-833T (last visited 
June 12, 2009). 

15 See, e.g. President Barack Obama, Memorandum on Transparency and Open Government, January 
21, 2009 mailable at 

http://www.whitehouse.gov/the_press_office/TransparencyandOpenGovernment; The White House 
Open Government Initiative, http://www.whitehouse.gov/open/; Public Workshop: Government 2.0: 
Privacy and Best Practices, 74 Fed. Reg.17876 (April 17, 2009), 

16 http://opengov.ideascale.com/akira/pmd/6537-4049 

House Oversight Committee 4 

Identity Theft 


EPIC Testimony 
June 17, 2009 



94 


All of those proposals received many favorable comments - the proposal to limit the 
commercialization of personal data held by federal agencies was particularly 
popular. But there is no indication so far that the OSTP will carry forward these 
safeguards as it considers the deployment of new web 2.0 tools. 

We would ask the Committee to look more closely at privacy safeguards for 
new web-based government services. 

2) Government Needs to Consider Privacy in the Outsourcing of Government 

Services 

A related concern to the web 2.0 developments is the need to ensure that 
private contractors that obtain personal information from government agencies 
safeguard all of the information they obtain in accordance with the requirements of 
the Privacy Act. This is particularly important because individuals are often 
required to provide information to government agencies to obtain licenses, to 
purchase property, to pay taxes, to receive benefits, and so on. This could be a 
serious problem with the increased outsourcing of tax collection, which makes 
available very sensitive financial information to private firms. 

There is no sense in which a “privacy policy" is sufficient to protect the 
privacy of American citizens in this context. There must be enforceable privacy 
rights that bind all private contractors that obtain personal information from the 
federal government and there must be regular audits to determine compliance with 
legal standards. 

There are numerous stories of private contractors misusing access to 
personal information, including the reports in the 2008 presidential campaign 
season when State Department contractors improperly accessed the passport files 
of the Senator Obama, Senator Clinton, and Senator McCain. 

We would ask the Committee to consider additional steps that could reduce 
the risk of identity theft resulting from the transfer of personal information to the 
private sector. 

3) Comprehensive Privacy Legislation is Necessary 

The identity theft problem continues to escalate in part because it is too easy 
for companies to collect personal information and too difficult for individuals to 
safeguard their information once it is in someone else’s possession. Privacy policies 
do not provide privacy protection. All too often, they simply provide a waiver or 
disclaimer that allows companies to collect and use personal information as they 
wish. 


To reduce the risk of identity theft in the United States, Congress must adopt 
privacy legislation that places greater responsibilities on companies that collect and 

House Oversight Committee 5 EPIC Testimony 

Identity Theft June 17, 2009 



95 


use personal information. Oversight by regulatory agencies, such as the Federal 
Trade Commission, is helpful, but individuals must also be notified when their data 
has been improperly released and they need an opportunity to seek damages when 
companies fail to safeguard the information they collect 

Comprehensive privacy legislation, including breach notification, will place 
appropriate burdens on companies that collect personal data. They will need to 
consider the risks of gathering sensitive data, such as Social Security Numbers, and 
of storing data longer than is necessary. Such legislation should also create 
incentives to develop new techniques that make it more difficult to commit identity 
theft and other crimes involving personal information. And it should not preempt 
stronger state laws. 

4) Cybersecurity Policies Must Focus on the Protection of Personal Information 

A related goal to reduce the risk of identity theft is to ensure that the nation's 
cybersecurity policies reflect a clear commitment to the protection of privacy. It is 
not simply computing resources that must be protected, but also the personal 
information about individuals stored on servers and transmitted across networks. 
Techniques that enable monitoring by third parties, even for lawful purposes, 
expose data that could be obtained and used for improper purposes. A cybersecurity 
policy that fails to consider this risk could actually magnify the danger of identity 
theft. 


5] Better Systems for Identity Management Need to be Developed 

One of the key goals for the federal government over the next several years 
should be the development of an identity management system that is scalable, 
robust, and secure. Where identification is necessary, individuals should have the 
ability to provide only the relevant credentials that are necessary for the 
transaction. They should not be asked to provide a unique identifier that links to all 
of their personal information or that increases the risk of identity theft. 

The problem is that for too long the government has relied upon the use of 
the Social Security Number as the primary means to verify identity. This is a terrible 
practice for many reasons, not the least of which is the SSN’s link to many, many 
record systems. Social Security Numbers are also frequently used as both a record 
locator and a password. Not surprisingly, access to another person’s SSN is one of 
the easiest ways to commit identity theft. 

These problems with the SSN are also the reason that privacy advocates and 
technical experts have opposed the establishment of the REAL ID, a more modern 
form of the SSN that would make it easy to link together databases as well as to 
commit identity theft once the system was compromised. 


House Oversight Committee 
Identify Theft 


6 


EPIC Testimony 
June 17, 2009 



96 


IV, Conclusion 

In the years ahead, Americans will interact with government in an online 
world that is more complex and more information intensive than our current world. 
Even this Committee hearing, which was only recently made available over the 
Internet for viewing, could soon include blog posts, twitter feeds, and opinion polls 
that allow individuals to engage government and to express their views. Increased 
government openness and transparency is a boon for civic participation. But the 
government should exercise caution when implementing technologies that can 
expose citizens’ personal information to identity thieves and other bad actors. And 
legislators should enact comprehensive, meaningful privacy safeguards to protect 
individuals’ personal information. 

Thank you again for the opportunity to appear before the Committee. I will 
be pleased to answer your questions. 


House Oversight Committee 
Identity Theft 


7 


EPIC Testimony 
June 17, 2009 



97 


Mr. Clay. Mr. Rebovich, you are recognized for 5 minutes. 

STATEMENT OF DONALD REBOVICH 

Mr. Rebovich. Good afternoon, Chairman Clay and members of 
the subcommittee. I appreciate the opportunity to appear before 
you to discuss the serious crime of identity theft, the impact it has 
on victims and what can be learned from criminological research in 
this area. 

The research center I direct, the Center for Identity Management 
and Information Protection, is housed at Utica College in central 
New York and is a research collaborative dedicated to the preven- 
tion and containment of identity theft. 

While the term “identity theft” is familiar to many, questions 
still remain about what the term really represents, what type of 
person is most likely to commit this type of offense, what criminal 
methods are most commonly used, and who is in most jeopardy to 
be victimized. As a criminologist, I believe that answering these 
questions brings us many steps closer to helping to lower the inci- 
dence of this insidious crime and protect the interests of those who 
fall victim to it. 

Now, my center undertook a challenging research endeavor with 
empirical analysis of over 500 U.S. Secret Service identity theft 
cases. We studied it. It covered over a period of 6 years. When the 
results were released, they were met with an interesting mix of cu- 
riosity and surprise. 

Contrary to some earlier victim surveys, this study found that 
many victims did not know their offenders. The median loss for a 
case was found to be over $30,000, much more than the average 
estimates drawn from victim surveys. A full one-third of the offend- 
ers were found to have committed their crimes at their place of em- 
ployment, spotlighting the problem of unscrupulous insiders who 
would use personal information for criminal purposes. 

Individuals were not the only victims. The financial services in- 
dustry was victimized in 37 percent of the cases. In 21 percent of 
the cases, the victims were retail businesses. The financial services 
industry was most frequently victimized by offenders using fraudu- 
lently obtained personal identifying information to obtain new cred- 
it card accounts, to apply for and obtain fraudulent loans, to pass 
checks, and to transfer funds. 

The retail industry was victimized by the use of stolen identity 
information to open store accounts and by purchasing merchandise 
with fraudulent credit cards. 

As a criminologist, those study findings impressed upon me the 
stark realities of identity theft in our modern society. Many of the 
crimes were carried out easily, and it really didn’t take, in many 
cases, our analyzing that, because some of the offenders in case 
notes indicated and bragged about how easy it was. 

A common characteristic of these offenses is that these criminals 
are criminal opportunists. They look for the path of least resist- 
ance, and they find it. And there are many compromised points in 
our system that they can use to commit these offenses. In the final 
analysis, the identity thief will take the path of least resistance to- 
ward the ultimate goal of using someone’s identity in commit fraud 
in someone else’s name. 



98 


But there are a series of vulnerabilities, system vulnerabilities 
that we can address to try to cutoff the blood flow to these offend- 
ers, for instance: Merchant recognition of counterfeit cards: Time 
and again the actual cases indicated a failure of merchants to de- 
tect that credit cards were not authentic; bank oversight of new ac- 
count creation: the failure of bank personnel to recognize false 
identification information; oversight of employee access to cus- 
tomer-client information: another failure of the employer to effec- 
tively monitor employee use of customer-client personal informa- 
tion; credit card issuers’ oversight of adding users to existing ac- 
counts: a failure of issuers to effectively verify authenticity and vic- 
tim approval of requests to add offenders to existing accounts as 
credit card users; Government recognition of altered forms: another 
failure, a failure of government agencies to detect false documenta- 
tion, leading to fraudulent use of documents in victims’ names; and 
finally the oversight of employee access to client-customer credit 
cards, skimming: another failure of employers to effectively monitor 
employee use of credit cards in the course of legitimate credit card 
transactions. 

Just to summarize in terms of what we can do with this informa- 
tion to help apply the plight of victims, I have distilled my rec- 
ommendations in my testimony to three optimized protections: Op- 
timize authentication protection; optimize protection of personal in- 
formation; and, optimize protection by law enforcement. 

In authentication protection, we need to have the best tools pos- 
sible and standardize them to make sure we can authenticate who 
these people are, whether they are actually the people they say 
they are or criminal offenders. 

Optimize protection of personal information: We are talking 
about all of the different agencies, private sector and public sector, 
that have access to personal information and house it. It is their 
responsibility to protect that information. 

Finally, optimize protection by law enforcement: Half of the cases 
that we looked at that were Secret Service cases started at the 
local level with local police officers. These were people, these were 
officers who did the right thing; they understood what identity 
theft is, and they reacted. Other research unfortunately has shown 
that is not always the case. What we need to do is address these 
authentication optimized protections to try to close the gap to pre- 
vent identity theft. 

Thank you, sir. 

Mr. Clay. Thank you for your testimony. 

[The prepared statement of Mr. Rebovich follows:] 



99 


STATEMENT 

OF 

DONALD REBOVICH 

Executive Director, Center for Identity Management 
And Information Protection 
Utica College 

Information Policy, Census, and National Archives Subcommittee 
Oversight and Government Reform Committee 
Wednesday, June 17, 2009 
2154 Rayburn HOB 
2:00 p.m. 

Chairman Clay, Ranking Member McHenry and Distinguished Members of the Subcommittee: 

Good afternoon, Mr. Chairman and Members of the Subcommittee, I appreciate the 
opportunity to appear before you to discuss the serious crime of identity theft, the impact that it 
has on its victims and what can be learned from criminological research in these areas. 

As with any emerging crime area, the acknowledgment of identity theft as a distinct 
brand of criminality largely rests with the popularly accepted perception of the act itself as being, 
in some way, threatening to the average person. In general, the individual forms his or her own 
opinion about an emerging crime area based upon a combination of published reports of 
examples of notorious case incidents, broadcast vignettes depicting the unfortunate experiences 
of the victims, media announcements cautioning against behavior that may precipitate 
victimization, and, quite often, simple word-of-mouth. The frequency and the veracity of the 
conveyance of this type of information become powerful driving forces in the manner in which 
the general public synthesizes the information and draws conclusions about the actual level of 
danger the crime poses to them. Sometimes referred to as the commonsense methodology, this 
thought process is not the methodology of science outlined in textbooks on logic, but is 
impressionistic, highlighting general tendencies rather than specific interpretations. 

Such has been the case with the quest to understand identity theft. While no less than a 
decade ago, the term was apt to be met with curiosity and some bewilderment, it has become one 
of the most recognizable emerging crime terms in the 21 st century. But, while the term may be 
familiar to many, questions still remain regarding what the term really represents, what type of 
person is most likely to commit this crime, what criminal methods are most commonly (and 
successfully) employed, and who is in the most jeopardy of being victimized. To strengthen our 
abilities to genuinely contain and prevent identity theft, these questions must be answered not 
through a speculative commonsense methodology, but through an empirical approach anchored 
in a thorough analysis of criminal justice system data. 


1 



100 


The greatest challenge that the instinctive public acceptance of a speculative 
commonsense assessment of identity theft characteristics presents to the law enforcement 
community is that it can misleadingly color the characterization of identity theft by the very 
officials responsible for controlling it. The subjective view of what is represented by the term 
“identity theft” can prove to be deceptively contagious as it bleeds over from the general 
populace to enforcement circles at the local, state and federal levels. A substitution of one’s own 
subjective biases and experience for an empirical approach, has led to the ruin of many 
misguided law enforcement programs and initiatives. As expressed by noted criminologists, like 
Brown and Curtis, many practitioners within the criminal justice system have met with repeated 
failure because they relied upon only their common sense. Thus, millions of dollars have been 
spent on police patrol efforts that do not reduce crime, judicial practices that are widely 
perceived as unfair, rehabilitation programs that do not rehabilitate offenders and countless other 
failures. 

To avoid such a trap in the consideration of the criminal phenomenon of identity theft, 
Utica College’s Center for Identity Management and Information Protection (CIMIP) has strived 
to replace the commonsense approach with a scientific one rooted in the systematic study of 
actual cases of identity theft. This approach draws from official case procedure records starting 
at arrest and ending in case disposition. The method is objective and precise and analyzes 
specific variables and their import, on the road to fashioning an accurate portrait of identity theft 
characteristics. The broad mission is to use the compilation of study results as a compass by 
which law enforcers can navigate through the fog of past conjecture to proactively facilitate both 
original and effective identity theft enforcement efforts. The collection and analysis of such data 
serves as a wellspring of valuable knowledge, leading to a fuller realization of trends, patterns, 
and groups perpetrating identity theft. It is the first step toward what is meant to be a successive 
series of like endeavors gauging the evolution of identity theft as a distinct crime type. 

The research center I direct, The Center for Identity Management and Information 
Protection (CIMIP), is housed at Utica College in central New York, and is a research 
collaborative of major academic, government and private sector members dedicated to furthering 
a national research agenda on identity management, information sharing, and data protection. Its 
ultimate goal is to impact policy, regulation, and legislation, working toward a more secure 
homeland. CIMIP’s advisory board members are committed to working together to provide 
resources, gather subject matter experts, provide access to sensitive data, and produce results that 
will be acted upon. But, completing research and publishing papers based on the results is not 
enough. The results must be put into action in the form of best practices, new policies, 
regulations, and legislation, training opportunities, and proactive initiatives for solving the 
growing problems associated with identity theft, the secure sharing of information, and 
information protection. 

CIMIP is a logical outgrowth of Utica College’s academic programs and the college’s 
Economic Crime Institute (ECI). Utica College is the forerunner in providing academic programs 
in economic crime investigation and economic crime management on the undergraduate and 
graduate levels. Its undergraduate degrees in criminal justice and cybersecurity complete the 
suite of programs that endeavor to provide government and private industry with a well- 
educated, cutting edge workforce. Graduates of these programs are currently employed at all 


2 



101 


levels in both the private and public sectors. CIMIP’s governing body is The Economic Crime 
Institute of Utica College (ECI); an institute dedicated to leading-edge thinking on economic 
crime issues faced by business and government through educational programs, policy guidance, 
research, and solutions. The Institute fosters a learning environment that positions graduates to 
assume key roles in the fields of economic crime, fraud, and risk management. 

CIMIP undertook its most challenging research endeavor with its empirical analysis of 
over 500 U. S. Secret Service identity theft cases. The goal was to collect investigative case file 
data from completed identity theft cases spanning from the years 2000 through 2006 and, from 
this data, document key characteristics of the offense, the offender and the victim. Prior to our 
study, most of the research findings on identity theft were confined to information submitted by 
victims through surveys or other forms of victim information submission. While valuable, 
conclusions drawn from findings were sometimes limited by factors such as variable 
interpretations of identity theft definitions, did not include incidents unknown to victims, and did 
not include incidents of crimes against organizations or agencies (e.g., businesses, government). 
Such surveys were able to only address peripheral characteristics of the offenders and offender 
modus operandi. Without knowing key information about the offenders, efforts to inform and 
alert law enforcement and the general public to means to prevent identity theft remained 
handicapped. 

When the study results were first released, they were met with an interesting mix of 
curiosity and surprise. Contrary to some of the earlier victim surveys, the CIMIP study found 
that most victims did not know their offenders. The median loss for a case was found to be over 
$30,000, much more than average estimates drawn from victim surveys (Both findings can be 
partly attributed to the inclusion of private businesses and public organizations in the study 
sample). A full one third of offenders were found to have committed their crimes at their place of 
employment, spotlighting the special problems of unscrupulous “insiders” who would use 
personal information for criminal purposes. Close to half of the crimes depended upon offenders 
working in concert. 

The results shattered some preconceptions many held about identity theft and identity 
fraud. The fundamental insight furnished by the study results was that the theft of information 
used to commit identity fraud was predatory and pervasive, perpetrated by many different types 
of people from all walks of life. Furthermore, the criminals proved to be patient observers of 
opportunities that would allow them entree to source information upon which they could build 
criminal careers. These identity thieves would settle into a convenient routine of shuttling 
between the cultivation of data and the conversion of the data into the creation of counterfeit 
documents and identification cards towards reaching the ultimate goal of the fraudulent use of 
that data. 

The study findings impressed upon me the stark realities of identity theft in our modem 
society. Many of the crimes were carried out, easily, by individuals using simple forms of scams, 
trickery, misrepresentation (e.g., phishing), and basic theft (e.g., dumpster diving, mail box 
rifling) to procure seed information for their later acts of fraud. These were crimes of individual 
victim manipulation. However, the crimes resulting in the most monetary loss to individuals and 
businesses alike, proved to be more acts of system manipulation committed by loosely 


3 



102 


constructed criminal groups exhibiting, in many instances, remarkable skills at exploiting system 
vulnerabilities. A common characteristic of these cases was the specialization of criminal skills 
(e.g., paper document experts, laminating experts, check forgers) and the portability of those 
services depending upon the criminal group’s needs. Too often, the individual in control of the 
criminal “spigot” was the insider, the gatekeeper to personal information of clients and 
customers. 

Through a variety of sources ( public service announcements, commercial advertising), 
United States citizens are periodically reminded about the threats of identity theft and the 
personal actions that can be taken to help insulate oneself from identity theft victimization. One 
disquieting story that emerges from the CIMIP study results is that no matter how vigilant we are 
in following a formula for protecting ourselves from falling victim to identity theft, there is only 
so much the average citizen can reasonably control. Our personal information is legitimately 
collected and housed, daily, by numerous private and public sector entities. The successful 
protection of that information is contingent upon the exercising of robust policies for the 
safekeeping of it by the information guardians themselves. Absent such policies (e.g., strong 
employee screening strategies, comprehensive employee monitoring programs), organizations 
invite attempts at information theft by those entrusted to protect it. Some of the findings of the 
CIMIP study point to a key threat to identity security as coming from “within”; the insider ready 
to exploit perceived system vulnerabilities. 

The findings that received the most attention after the release of the study can be distilled 
to the following points separated into four categories: the case, the offenders, the commission of 
the crime, and victimization. These findings can be helpful in understanding the full extent of 
identity theft characteristics. 

Some notable case characteristics were: 

• Cases were referred to the Secret Service from various sources. 

o Approximately 47% were referred by local and state law enforcement agencies, 
o Corporate security and/or fraud investigators referred about 20% of the cases. 

• The median actual dollar loss was $3 1 ,356. 


Offender characteristics showed an interesting diversity. 

• Most of the offenders - 42.5%, were between 25 and 34 years of age at the time that the 
case was opened. 

o The 35-49 age group made up 33% of the offenders, 
o 1 8.5% were between 1 8 and 24 years old. 
o The remaining 6% were 50 years old or older. 


4 



103 


• 24. 1 % of the offenders were bom outside of the United States. 

• 71% of the offenders had no official arrest history. 

o Of those who did, a third of the arrests were for fraud, forgery, or identity theft. 

• The most prevalent motive of the offenders was personal gain. It took several forms 
including using fraudulently obtained personal identifying information to: 

o Obtain and use credit 

o Procure cash 

o Conceal actual identity 

o Apply for loans to purchase motor vehicles 


The data on the commission of the offenses also proved enlightening. 

• In most of the cases, the identity theft facilitated other offenses. 

o The most frequent offense that was facilitated by identity theft was fraud. 

o The next most frequent was larceny. 

• Criminal group activity was found in 42.4% of the cases, involving from 2- 45 offenders. 

o The roles that the defendants took varied, but most frequently involved stealing or 
obtaining personal identifying information and using it for personal gain. 

o In cases with three or more offenders, there is definite coordination and 

organization, allowing the group to take advantage of criminal opportunities, to 
create opportunities for crime, and to avoid detection. 

• In approximately half of the cases, the Internet and/or other technological devices were 
used in the commission of the crime. 

o Within the half with no use of the Internet or technology, non-technological 
methods, such as change of address requests and dumpster diving were used in 
20% of the cases. 

• The point of compromise for stealing personal identifying information or documents was 
determined in 274 of the cases. 


o In 50% of those cases a business (service, retail, financial industry, or 
corporation) provided the point of compromise or vulnerability. 


5 



104 


o A family member or friend was the point of compromise in approximately 16% of 
the 274 cases. 

• Approximately a third of the cases involved identity theft through employment. 

o The most frequent type of employment from which personal identifying 
information or documents were stolen was retail (stores, car dealerships, gas 
stations, casinos, restaurants, hotels, hospitals, doctors offices) - 43.8% 

o Private corporations were vulnerable to insider identity theft in about 20% of 
those cases. 


The analysis of information on the victims produced some surprises. Although most of the 
media attention surrounding identity theft and fraud has focused on individuals, they did not 
make up the largest percentage of victims in this study. 

• Over a third (37.1%) of the victims were financial industry organizations: banks, credit 
unions, and credit card companies. 

• Individuals accounted for 34.3% of the victims. 

• 21 .3% of the victims were retail businesses (stores, car dealerships, gas stations, casinos, 
restaurants, hotels, hospitals, doctors’ offices). 

• Victimization of organizations took several forms: 

o The financial services industry was most frequently victimized by offenders using 
fraudulently obtained personal identifying information to obtain new credit card 
accounts, to apply for and obtain fraudulent loans, to pass checks, and to transfer 
funds. 

o The retail industry was victimized by the use of stolen identity information to 
open store accounts and by purchasing merchandise with fraudulent credit cards. 

• The data show that most individuals were victimized by individuals they did not know. 

o 59% of the victims did not know the offenders, 
o 10.5% of the victims were customers or clients of the offender, 
o 5% of the victims were related to the offender. 

• 20.3% of the 939 offenders in the cases committed identity theft at their place of 
employment. 


6 



105 


o Of those offenders, 59.7% were employed by a retail business, 
o 22.2% were employed by a financial services industry organization. 


Knowing the Enemy: Who are the offenders? 

As a criminologist, my primary interest in the study results had centered on the offender. 
My belief was (and still is), that to fully appreciate the threat of identity theft and apply that 
knowledge to the prevention of future victimizations, one must understand the offenders and how 
they operate. Just who are these people who commit identity theft and how can this information 
be valuable to the general public and law enforcement? The quick answer is that they can be just 
about anyone. But upon deeper inspection, there are some features that underscore what makes 
them tick; that regardless of age, race or gender, these offenders could all be safely characterized 
as criminal opportunists in the truest sense. Detailed investigative case notes illustrated that 
offenders often were thoroughly meticulous in targeting what they perceived as opportunities to 
commit identity theft and escape detection. The opportunities could arise by chance or by 
design. In either case, the identity thieves would be alert to taking advantage of these 
opportunities, opportunities often provided by victims themselves. 

While over 70% of the offenders had no arrest history that does not necessarily mean that 
these offenders had absolutely no criminal history. Statements made by offenders with no 
official criminal records belie the impression of them as criminal novices. There was some 
evidence that these offenders could be adept at arrest avoidance. It was clear from the cases 
studied that more than a few stated they had transitioned over from other crimes (e.g., drug- 
trafficking) because they believed identity theft was much more lucrative. 

Most offenders did not know their victims - only 5% were relatives of victims and 3% 
were friends/acquaintances of victims. The greater percent of those in which the offender knew 
the victim involved business/client/employment relationships. Such relationships involved the 
work of criminally-minded, financial consultants, unscrupulous car dealership employees, 
unscrupulous loan officers and medical service representatives who valued their financial well- 
being far more than the health of patients. 

Overall, the identity thieves were found to fit into one of three separate criminal categories; 
Situational, Routine and Professional. All were found to take advantage of opportunities for 
crime that were presented to them. One might say that some of these opportunities were 
presented to them on “a silver platter.” 

Situational offenders were often those who happened upon opportunities through 
employment (i.e., “crime at work”). Their jobs were usually ones with access to personal 
information. Case investigations sometimes revealed these offenders as disgruntled, employees, 
employees with financial problems, or both. At some point it would dawn upon these employees 
that they possessed the power to change their lives and act. These offenders would typically use 
the personal information of others for personal profit for themselves. Routine offenders were 
those with a mindset similar to the situational offender, except that as insiders these offenders 
decided to act as the “spigot” of stolen personal information that permitted the creation and 


7 



106 


evolution of various diverse forms of identity theft that the offender could turn into a continuous 
criminal enterprise. This type of offender would often move from job to job, with all job 
positions possessing the element of personal information access. The professional identity thief 
was found to be the most criminally sophisticated of the three types, practicing identity theft as a 
criminal career. This type of offender could be a solitary offender, but would more likely be the 
leader of a team, or a “middle manager”, usually taking on multiple criminal roles. The 
professional identity thief was found to wear many hats and participate in diversified criminal 
activities. 

While media reports and commercials have tended to highlight identity thieves preying 
upon individual citizens, the story that the study tells in this arena is that identity thieves 
frequently harbor criminal designs much broader in scope. Identity theft attacks against 
organizations and agencies in private and public sectors were all too common in the sample - 
with retail and financial services industries taking the brunt of monetary damage. One-third of 
the cases were found to originate at offender’s jobs. As characterized earlier, these crimes were, 
thus, the work of insiders; those with access to personal information through employment in both 
private and public sectors. In these cases, the insiders became the criminal wellsprings that 
triggered a chain of events that would eventually end with the fraudulent use of the stolen 
information. 

Median loss in identity theft cases proved to vary by the size of the identity theft criminal 
groups. The logical explanation for this was that unless solitary offenders used the Internet as an 
enabling tool for identity theft commission (and, surprisingly, less than half did), one offender 
would not “score” as much in terms of profits as if that offender worked as part of a criminal 
team of identity thieves. The more identity theft foot soldiers fanning out to open new accounts, 
purchase new credit cards and write more bad checks, the more profits to divide among the 
criminal group. The insiders with access to information were ideally positioned to act as identity 
theft ring directors, instrumental in demonstrating the ease of crime commission to potential ring 
recruits, mentoring them through the first steps of criminal activity and guiding them through 
methods of exploiting weaknesses in identity protection systems. The final goal being the 
conversion of stolen identities into fraudulently obtained profits. 

Through their own admission, offenders would consistently seek what they saw as the 
easiest route to potential profits. Time and again, offenders in the study sample proved 
themselves to be adept at precisely analyzing systems put in place to prevent and deter identity 
theft. They would search for the weakest links in those systems and devote all their efforts to 
capitalizing on the exploitation of them. They were prone to specializing their criminal skills. It 
was common to see identity theft ring leaders erect their identity theft team around the 
specialized services individual criminal participants could bring to the table. Such skills included 
expertise in determining the perfect type of paper with which to produce fraudulent checks, or 
experience in how effectively replicate identifying documents/cards. Some offenders were found 
to be satisfied with lower profile laminating responsibilities while others would be willing to 
assume the higher risks of direct fraudulent transactions using the stolen identifications. 

Together, these specialists would make up the synchronized parts of a fine-tuned identity theft 
“machine”, poised to take advantage of criminal opportunities presented to them. 


8 



107 


The offenders were, largely, found to adapt well to control efforts. In some cases, a 
certain sense of competition with control efforts was palpable. If offenders encountered new 
adjustments in the system they were trying to “crack” they, would expend extra time and energy 
to counteract these adjustments. As a group, they were not found to be easily discouraged by 
technical or systematic roadblocks that might be put in their way. In a word, they often came 
across as determined. Another criminal quality that emerged was their sense of patience. They 
could take their time to figure out a new angle in eluding detection and increase their profits. 
Like 19 th century safe crackers, they would often take advantage of connections to other 
criminals who could help them with new skills to adjust their methods. 


Offenders were found to be experienced in isolating “enabling tools” that could make 
their transition from identity theft to identity fraud all the easier. In over one out of every three 
cases counterfeit driver’s licenses were used in the commission of identity fraud. In each of these 
cases, offenders were found to be in possession of counterfeit driver’s licenses that they had 
either created themselves, had other offenders create or had purchased from other offenders. 
These driver’s licenses were generated through the theft of personal information from private 
citizens and were then, in turn, used as the source information for fake driver’s license creation 
to perpetrate the commission of fraudulent acts. The common identity theft case in which 
counterfeit driver’s licenses were used to commit fraud had the following characteristics - 1) 
involvement of 2 or more offenders acting in concert, 2) the creation and use of multiple 
counterfeit driver’s licenses (often from different states, 3) the use of the counterfeit driver’s 
licenses to purchase business credit cards, open new bank accounts and/or to write counterfeit 
checks, and finally 4) the involvement of at least one “insider” from an organization/agency who 
provided the “seed” personal information needed as a source for the creation of the counterfeit 
licenses. While most of these cases could not be characterized as sophisticated organized crime 
cases, they can safely be said to be examples of organizational crime in that the cases often 
involved several co-conspirators who developed a system in which personal information was 
stolen in order to produce counterfeit driver’s licenses. The counterfeit driver’s licenses would 
serve as a catalyst to a chain of events in which offenders would use the fake licenses as 
“authentication” for the opening of bank accounts and the purchase of credit cards used to 
commit fraud. 

While the original methods of personal identification theft could be quite primitive (e.g., 
dumpster diving, mailbox theft), a reoccurring characteristic in driver’s license identity theft 
cases involved an insider with access to personal identification through employment. In some 
cases, the insider was an employee of an organization with direct access to personal information 
of customers/clients/patients (e.g., banks, hospitals, telecommunication firms) who participated 
in the actual acts of identity fraud as part of a conspiracy or “ring”. In other cases, the insider did 
not participate in the identity fraud acts directly, but sold the information to facilitate the creation 
of the fake driver’s licenses (e.g., employees of automobile dealerships). In either scenario, the 
personal information stolen was converted, directly, into the manufacturing of counterfeit 
driver’s licenses to be used for identity fraud. Some created drivers licenses themselves with 
software and materials like paper and ink purchased from office supply stores. Others knew 
individuals who specialized in creating fake driver’s licenses and sold their specialized services. 


9 



108 


In the final analysis, the seasoned identity thief, would take the path of least resistance 
toward the ultimate goal of using someone’s identity to commit fraud in that person’s name. The 
enabling tools became vulnerabilities in the systems or individual protections against identity 
theft victimization. Often these vulnerabilities were cases in which the system let the individual 
down. The following are a list of examples of these vulnerabilities, or “points of compromise”, 
that emerged from the CIMIP study: 

Merchant recognition of counterfeit cards - Failure of merchants to detect that credit cards were 
not authentic (e.g., manufactured by the offender using victims’ personal identification 
information). 

Individual victim oversight - Failure of the individual victim to protect or insulate source of 
information used by offender to assume the victim’s identity in the commission of fraud against 
the victim. Includes instances of source information obtained by acquaintances/relatives through 
direct contact with victim, “dumpster diving,” mail theft 

Bank oversight of new account creation - Failure of bank personnel to recognize false 
identification information presented by offenders to open new accounts in victims’ name. 

Oversight of employee access to customer/client information - Failure of employer to effectively 
monitor employee use of customer/client personal information 

Credit card issuers’ oversight of adding users to existing accounts - Failure of issuers to 
effectively verify authenticity and victim approval of request to add offender to existing account 
as a credit card user. 

Government recognition of altered forms - Failure of government agency to detect false 
documentation leading to fraudulent misuse of documents in victim’s name. 

Oversight of employee access to client/customer credit cards (skimming) - Failure of employer 
to effectively monitor employee use of credit cards in the course of legitimate credit card 
transaction. 


Basic offender characteristics of identity theft offenders, then, are the following - 
Identity theft offenders: 

■ Are “Criminal opportunists” 

■ Search for the easiest route to profits (e.g., testing methods) 

■ Specialize criminal services 

■ Adapt their abilities to control efforts 

■ Are patient 


10 



109 


■ Prize the special role of criminal “Insiders” 

■ Often depend on the creation and use of fake driver’s licenses as catalysts for identity 
crimes 


Applying Results to Victim Protection: Optimizing Victim Protections 

How does this empirical information translate into assistance to the victims of identity 
theft? In my opinion, the results highlight the responsibilities we all have to optimize basic 
protections of our citizens from falling victim to identity thieves and making sure victims are 
properly treated if those protections ever fail. For too long, we have accepted a less than 
adequate approach in at least two areas that could help cut off some “points of compromise” (and 
help prevent identity theft) and one area that could advance our efforts toward making certain 
that we truly support the “first responders” to the crimes and, thereby, treat identity theft victims 
properly. While I am sure there are more, I have distilled my recommendations to three 
optimized protections; Optimized Authentication Protection, Optimized Protection of Personal 
Information and Optimized Protection by Law Enforcement. 


Optimized Authentication Protection 

Empirical research has demonstrated that identity thieves (especially professional 
identity thieves) look for soft spots in systems that, when exploited, pay the biggest dividends to 
them through the use of stolen identities to commit fraud. One of the simplest ways for offenders 
to commit fraud using stolen identities is to open new credit card accounts in the names of 
victims. Both individuals whose identities are stolen and merchants become ultimate victims. 
The gatekeepers to identification approval are often those who are not optimally equipped to 
effectively discern the authenticity of identification documentation. These individuals become 
unwitting conduits for criminality by opening the door to identity fraud. In some cases, security 
measures built into authenticating documents are less than adequate. 

Types of authentication employed daily range from being quite simple to being quite 
complex. A commonality, though, is that the methods used can vary among the entities 
represented by the authentication “readers” (e.g., law enforcement, retail, transportation) and 
jurisdictions within which the readers operate. Key dependent factors include skill levels of the 
readers and the tools the readers employ. CIMIP supports the work done in this area by groups 
like the American National Standards Institute, the North American Security Products 
Organization and the Document Security Alliance. It is recommended that government support 
further efforts that would facilitate a series of reader applications of the testing methods 
throughout the U.S across relevant testing entity groups. Such applications should entail physical 
applications of methods along with qualitative surveys on the level of ease and reliability of the 
applications. Results of the applications should be integrated into national standards for 
authentication testing to set the stage for the enhancement of authentication methods aimed at 
narrowing the scope of criminal opportunities that now exists for identity thieves. Both the 
private sector and government must work closely together to optimize the capabilities of 


11 



110 


authentication readers, ensure they are properly trained and guarantee that that the most effective 
security layers are installed onto identification documents. 

Optimized Protection of Personal Information 

Much of the average citizen’s personal information is legitimately housed by numerous 
private sector businesses and government agencies in our modem society. It is a sign of progress 
and affords us with many services and conveniences that we would not ordinarily have. With 
regard to identity theft, these services and conveniences can come with a heavy price if 
optimized protections are not installed to prevent personal information from becoming 
compromised and used as the source for the selling of it to commit identity fraud. While much 
societal attention has been paid to invasions of information systems from the outside, the danger 
of breaches from the “inside” has not received as much scrutiny. Yet, as pointed out in CIMIP’s 
study of identity theft case characteristics, cases in which those given access, through 
employment, to personal information often result in those entrusted with protecting this 
information becoming the architects of rings dedicated to creating and sustaining criminal 
careers in identity fraud. It is time that the public and private organizations housing this source 
information are held to a higher standard to prevent these insider breaches, cutting off the 
criminal lifeblood that effects so many victims of identity theft and identity fraud. 

As recommended by scholars like Jeffrey Stanton in research on the importance of 
employer responsibility in ensuring that personal information of customers and clients is 
protected from exploitation, managers in the public and private sectors must see to it that the 
proper climate is set to prevent such actions. Ingredients for optimized prevention include: 1) 
effective employee screening methods at hiring; 2) effective monitoring/surveillance of 
employee activities in both the real and virtual settings; 3) limitation of data access to only select 
employees; and 4) the establishment and public notification of employer policies on employee 
interaction with data and the repercussions/penalties for violations 


Optimized Protection by Law Enforcement 

There are a number of agencies that are responsible for identity theft control on a national 
level including the U. S. Secret Service, the Federal Bureau of Investigation, the U.S. Postal 
Inspection Service and U.S. Immigration and Customs. These agencies field direct reports from 
victims and others reporting identity theft, or what is thought to be identity theft. The agencies 
also work closely with state and local law enforcement agencies in addressing identity theft, 
often interfacing with identity theft task forces that combine the efforts of local, state and federal 
agencies. Studies like the one completed by CIMIP also demonstrate that state and local law 
enforcement agencies play a significant role, one that can easily go unnoticed by the general 
public due to the media profile given to larger “dollar loss” cases that are typically handled by 
federal enforcement agencies. Every day, municipal police, county police/sheriff’s officers and 
state police are instrumental in the successful detection and investigation of numerous identity 
theft cases. In many instances, they represent the first public officials who are made aware of the 
offenses or put in the position of determining if examined evidence would lead to a conclusion 


12 



Ill 


that identity theft has occurred. As such, they are frequently the first responders to identity theft 
victims. 

Based upon the analysis of CIMIP’s data, it appears that local/state enforcement officers 
involved in the identity theft cases were quite sensitized to identity theft enforcement. They went 
the extra yard to piece together information that would end in a clear picture that identity theft 
had occurred. It is important to note that the sample is a study of those who did detect and 
properly investigate the offenses as identity theft. It is for precisely that reason that this 
information is used for the basis of an informative report on experiences and desired procedures. 
Being sensitized to signs of identity theft is as important to a local enforcement officer as telltale 
signs would be to an emergency medical technician at the scene of an accident or to an auditor 
investigating the records of a corporation plagued with financial inconsistencies. Being a first 
responder, it rests with the local officer to determine if the “surface” offense is in fact the only 
offense that has taken place in a given investigation. A sensitized first responder would be able 
to skillfully dig beneath the surface and acknowledge the crime of identity theft, one that may 
have never been unearthed without the officer’s special skills. 

While the CIMIP study underscored the work of local law enforcers who clearly 
represented what should be done to effectively respond to identity theft victimization, other 
evidence has suggested that sensitization to identity theft recognition and investigation is not 
always as routine as one might expect. In his recent study of local law enforcement and identity 
theft, Vem McCandlish points out areas in which local enforcement is either lacking or requires 
improvement. They include: 1) formal written policies specific to identity theft response and 
investigation; 2) follow up contacts of victims; 3) the provision of copies of the written reports 
taken by the officers to the reporting victims; 4) utilization of the Federal Trade Commission’s 
Identity Theft Affidavit, an affidavit created by the Federal Trade Commission, in cooperation 
with the financial industry, designed to assist identity theft victims in recovery (Once completed, 
the affidavit allows the victim of identity theft to have one form that can be submitted to any 
business to detail the facts of the victimization and can be reused with different agencies .The 
victim is not required to complete a separate custom form for each business contacted to correct 
the errors caused by the identity thief); 5) written policies of entering the reported incident of 
identity theft into the Federal Trade Commission’s clearinghouse database; and 6) an emphasis 
on the importance of the police first responder empathizing with the victim. 

To optimize swift and effective local law enforcement responses to victims of identity 
theft, it is strongly recommended that government infuse resources into “best practices” training 
programs designed to build upon lessons learned from effective federal, state and local law 
enforcement strategies and direct those programs, widely, to local law enforcement officers 
throughout the nation. McCandlish’s research highlighted the following areas that are vital for 
the police first responder to have proper training in when responding to the victims of identity 
theft: 


• The language of the criminal statutes 
o Criminal liability 
o Jurisdictional issues 


13 



112 


o Victim’s rights 

• Criminal objectives in obtaining and using personal identification information 

• What information constitutes personal identifying information and what risks 
result from failure to properly secure this information 

• The true levels of stress and emotional trauma the victim is dealing with 

• The basic needs of the victim 

• The importance of documenting the complaint in a written report 

• How to offer basic advice on self protection when fielding questions from citizens 
or the press 

• Approaching the victim in a manner that does not leave the victim feeling to 
blame for being victimized or failing to empathize with the victim 

• Exhibiting appropriate compassion for the victim’s plight 


Final Thoughts 

The early research work done by CIMIP has documented both qualitative and 
quantitative features of identity theft that can logically be transformed into suggestions for policy 
change to help limit ftiture victimizations and improve system treatment of victims. Firms like 
The Santa Fe Group have been instrumental in pointing out specific needs that must be addressed 
to provide effective service to victims. An obvious way in which we can lessen the burden of 
identity theft is to clear away any obstacles that may impede the ability of the victim to restore 
his/her identity to a pre-identity theft level, in essence, this would amount to the victim receiving 
a “clean record”, devoid of false charges that may have resulted from the victimization. Another 
way to lessen the burden is to support state and federal efforts to make it easier for victims to 
receive restitution as a result of their victimizations. CIMIP research of criminal case sentences 
found that restitution was imposed in only a minority of the cases analyzed. Clearly, this trend 
must change if victims of identity theft are to be afforded the services and protections they 
deserve. To ensure that identity theft cases are pursued to the fullest extent of the law, criminal 
prosecutions must be aggressive and effective. National prosecution associations like the 
National Association of District Attorneys (NDAA) and the National Association of Attorneys 
General (NAAG) should be supported in any efforts to emphasize the urgency of the prosecution 
of identity theft and provide requisite training to enhance prosecutors’ abilities to prosecute 
effectively. 

But, an improvement area that we must be careful to not overlook is the importance of 
educating the public on the finer points of doing everything one can to prevent identity 
victimization to begin with. Experts in identity theft prevention, like Martin Biegelman, have 
pointed out simple practices that can be followed that can dramatically reduce the risk of 


14 



113 


becoming an identity theft victim. These practices include safeguarding social security numbers, 
minimizing the amount of personal information one carries, reducing the sharing of personal 
information and being alert to credit card skimming tactics. They also include simple computer 
use practices like enabling strong password protection, encrypting files and being alert to 
common phishing and related scams. The general public should understand actions that can be 
taken to limit the extent of identity theft victimization through early recognition of it by 
practicing the routine review of personal credit reports, monthly financial statements and social 
security earnings and benefits statements. Improved prevention education must be matched with 
education in the steps that can be taken in expunging victim names and information from 
criminal justice databases. 

In short, it should be the obligation of both the public and private sectors to team together 
to support, development and implement sound and comprehensive public awareness programs 
designed to facilitate a precise understanding of how to help insulate oneself from the pain of 
identity theft victimization. In studies conducted on identity thieves’ accounts of their own 
criminal lives the message is clear; identity thieves believe that stealing identities is “easy” 
because so many of us make it easy for them to commit. It must be the mission of government to 
make it as difficult as possible for identity thieves to commit their criminal acts. Getting the 
“word” out to the average citizen is an important step in that direction 


I would like to thank the Subcommittee for its time today. I appreciate the opportunity to 
discuss this important issue. 


15 



114 


Mr. Clay. Ms. Wallace, you are recognized for 5 minutes. 

STATEMENT OF ANNE WALLACE 

Ms. Wallace. Chairman Clay and members of the subcommit- 
tee, thank you very much for inviting me today and for giving me 
the opportunity to tell you about ITAC, the Identity Theft Assist- 
ance Center. 

Six years ago, executives of the largest financial services compa- 
nies in the country got together and realized that while they were 
doing a great job helping their customers at the time, there was 
more they could do to help their customers who became victims of 
identity theft. 

One of the key problems that victims face is that the criminal 
uses their information in more than one place; and the victim then 
has to find all of the places where the fraud has occurred, tell their 
story again and again, and prove who they are. It is a very time- 
consuming and frustrating process. 

This kind of fragmentation also occurs in law enforcement. Iden- 
tity crimes frequently involve many customers with small dollar 
losses across jurisdictional lines, and this kind of fragmentation 
really makes it difficult to investigate and prosecute these crimes. 

So in 2003, under the leadership of the Financial Services 
Roundtable and BITS, 50 of the largest financial services compa- 
nies came together to form ITAC, a nonprofit organization commit- 
ted to helping victims recover from identity theft, partnering with 
law enforcement to catch and convict the criminals and to provide 
consumer education. 

Since 2004, ITAC has helped more than 55,000 consumers re- 
cover from identity theft. The service is free to the consumer and 
is paid for by the financial services company. Very briefly, here is 
how the service works. 

It starts at an individual member company, who helps the victim 
resolve any of the problems at that company. The company then di- 
rectly transfers the consumer’s telephone call to an ITAC agent 
who walks the consumer through their credit report to find any 
other cases where fraud may have occurred. 

If fraud is found at other places, ITAC notifies all of those com- 
panies, whether they are ITAC members or not. The ITAC mem- 
bers get instant notice from us, online notice; the other companies 
all get a letter from us saying this person is a victim; you need to 
do something to fix this problem. 

As you can imagine, this is a very rewarding job I have. It is 
wonderful to be in a position to help people at a time when they 
need it most, and that is exactly what ITAC is. It is a helping hand 
at a time when people need that help most of all. 

Just one quick example. One of the people we helped was a 71- 
year-old man from California. He was a tax preparer who, out of 
the kindness of his heart, rented an apartment in his home to a 
woman and her daughters. He treated her like a daughter. She 
used his computer and stole his financial information. He didn’t 
find out about it until he got a bill in the mail for a credit card 
that he had never applied for. 

When he came to ITAC, the ITAC agent found one other fraudu- 
lent account in his name, and five other attempts to open accounts 



115 


in his name. What he said to the ITAC agent was, “You can’t imag- 
ine what a relief it is, in the middle of all of this, having someone 
on your side.” 

This is a terrific service, and people really appreciate it. 

I want to turn quickly to law enforcement because that is an- 
other key area that we operate in. We share data with both the 
Postal Inspection Financial Crimes Data base and with the FTC’s 
Consumer Sentinel Data base; and this information is used by in- 
spectors and law enforcement all over the country. The reason this 
is so important is because, instead of each company sharing infor- 
mation individually, we have data from multiple companies; it is 
national in scope and it is in a consistent format. And law enforce- 
ment tells us that they are using it very effectively. In a number 
of cases around the country, it has helped them crack the cases. 

The third element of our mission is education. We work very 
closely with the Federal Trade Commission. We helped when they 
launched their Deter, Detect, Defend Campaign, and we also have 
a terrific Web site of our own, identitytheftassistance.org, to help 
on this consumer education effort. 

In summary, I would say a lot of progress has been made over 
the last 6 years when I have been head of ITAC. We have had 
great laws passed, more consumer education, and a much better re- 
sponse on the part of law enforcement. But there is certainly a lot 
more to be done. 

Consumers still have difficulty filing police reports in many juris- 
dictions. There are still gaps in the enforcement efforts, and the 
lack of comprehensive data makes it difficult for policymakers, 
such as this committee, to make the best kind of legislative choices. 

In closing, what I would say is that we believe that the ITAC 
model, a collaborative private sector approach that is focused on 
best practices and, most importantly, focused on helping the con- 
sumer recover from this crime, has great potential in other indus- 
try sectors and for government agencies. 

So thank you for the opportunity to testify. I will be happy to an- 
swer any questions you might have. 

Mr. Clay. Thank you for your testimony. 

[The prepared statement of Ms. Wallace follows:] 



116 


Testimony of 
Of 

Ms. Anne Wallace 
On behalf of 

The Identity Theft Assistance Corporation 


Information Policy, Census, and National Archives Subcommittee 

Oversight and Government Regulation Committee 

Wednesday, June 17, 2009 
2154 Rayburn HOB 
2:00 p.m. 



117 


Chairman Clay, Ranking Member McHenry, and members of the subcommittee, 
I am Anne Wallace, president of the Identity Theft Assistance Corporation. Thank you 
for inviting me today and for the opportunity fc tell you about ITAC, the identity Theft 
Assistance Center, an initiative of the financial services industry to fight identity theft 
and help consumers recover from this serious crime. 

Six years ago, executives of the nation’s largest financial services companies 
realized that however hard they worked individually to help their customers and stop 
identity fraud within their own four walls, they could achieve more if they worked 
together. They knew that, in many cases, criminals used the victim's personal 
information many times, compounding the victim’s problems and resulting in fraud 
losses at other companies. By acting together and following a common process, they 
believed they could help their customers stop the identity theft spiral. 

To stop the damage and begin the recovery, victims had to find all the places 
where the crook had struck, prove who they were, and tell their story again and again, 
a time-consuming and frustrating process. Meanwhile, the damage spread. 

Fragmentation also impeded law enforcement. Identity crime often involves 
small dollar losses for many victims scattered across multiple jurisdictions which 
strained the resources of investigators and prosecutors. 

To break the cycle, consumers needed more guidance on preventing and 
recovering from identity theft. 

In 2003, under the leadership of The Financial Services Roundtable and BITS, 
50 financial services companies created ITAC, a nonprofit committed to helping 



118 


one other bogus account and five cases where someone had tried to open accounts in 
his name, 

Paul said he knew who was behind the fraud from the start. He confronted his 
tenant, a woman and her two daughters, who rented an apartment in his house. Paul 
and his wife had grown close to the family, who frequently used Paul’s computer. “We 
had compassion for this woman, we treated her like a daughter," Paul said. 

"Unfortunately, the whole experience has hardened us, we’ve lost trust in other 
people,” Paul said. As for ITAC: "You can't imagine what a relief it is in the middle of all 
this having somebody on your side." 

I know the Subcommittee is interested in the investigation and prosecution of 
identity crime - which is a key part of ITAC’s mission - so let me describe how ITAC 
works with law enforcement. 

Following the interview, with the consumer’s consent, ITAC sends information 
about the identity theft event to the U. S. Postal Inspection Service’s Financial Crime 
Database, which is used by postal inspectors all over the country. We also feed data 
into the Federal Trade Commission’s Consumer Sentinel Database. Approximately 
1,400 local, state and federal agencies, including the FBI and the Secret Service, have 
24-hour-a-day online access to ITAC data via Consumer Sentinel. 

These data sharing agreements represent a major breakthrough. For years, 
financial institutions have shared information about their own identity theft cases with 
law enforcement. This one-on-one information sharing continues to this day and is 
very valuable. But, ITAC’s data sharing is unique and especially valuable because ITAC 
reports are verified cases of identity theft. The data comes from many different 
companies, it is national in scope and is delivered in a consistent format. 


3 



119 


consumers had the right to place a fraud alert on their credit report, to get a free copy 
of their credit report each year, and to obtain records relating to fraudulent 
transactions. Heightened awareness of the need to protect personal information has 
led government and the private sector to improve information security. Law 
enforcement at all levels is much aware of the seriousness of identity crime and its 
impact on consumers, the economy and national security. 

Despite the progress, there is much more to be done. Most industries and 
government agencies lack processes for helping victims restore their identity. 
Consumers continue to be frustrated when they try to file a police report. Gaps in 
resources and training still limit the investigation and prosecution of many identity 
crimes. Consumer education efforts are challenged by rapid changes in criminal 
techniques and technology. Once a law is adopted, its effectiveness in helping victims 
is seldom evaluated. We would like to see more follow up research into which laws and 
regulations work and which don’t work in stopping identity crime and speeding victims’ 
recovery. The lack of comprehensive, empirical data about identity crime frustrates 
the ability of policy makers and consumers to make reasoned decisions. 

In closing, we believe that the ITAC model - a collaborative initiative founded 
on best practices and committed to helping consumers - can work in other industry 
sectors and in the federal government. 

I want to recognize and thank all of the other witnesses, most of whom we work 
with, for all the good work they do on behalf of consumers. 

Mr. Chairman, I would be happy to answer any questions you may have. 


5 



120 


Mr. Clay. Mr. Handy, you have 5 minutes. 

STATEMENT OF ERIC HANDY 

Mr. Handy. Chairman Clay and subcommittee members, my 
name is Eric Handy, and I am here to represent the Identity Theft 
Resource Center [ITRC], I am here for the founder, Linda Foley, 
and they are based in San Diego, CA. 

Very similar to ITAC, we are also a free service for victims. We 
do quite a bit with victims. We also do quite a bit with legislation, 
government, law enforcement, training, general awareness training 
in a lot of areas. 

Going forward, we also have a nice survey called Identity Theft: 
The Aftermath. This year’s version is Identity Theft: The After- 
math 2008. There, you can really hear the voices of the victims call 
out to you when you read the statements from actual victims; that 
is, the one beauty of the ITRC is that we get to deal with the vic- 
tim from start to finish in a lot of cases, and we get to work 
through all of the systems and all of the quirks in the systems, and 
we get to find out what does work and what doesn’t work. 

You can read that document and very clearly see over the last 
6 years how things have changed. 

What I want to emphasize are three emerging areas. I know that 
you asked that question of the last panel, that we see that is hap- 
pening out in the identity theft world right now. 

No. 1 is, child identity theft is something that is increasing; No. 
2 is medical identity theft, which has been elaborated on already; 
and, No. 3 is identity theft in the deceased, believe it or not. So 
this is a real cradle-to-grave situation where the average person is 
usually age 26 to 34 that is affected by identity theft. But it can 
happen at any point in time. 

When we talk about child identity theft, I just read a statistic 
today before I came here, if you took every classroom in the United 
States, you would probably find one child identity theft victim in 
that class, and that seems like an awful lot to me. 

We can play around with numbers and statistics, but there is a 
big problem because a lot of cases, the creditor or person offering 
the credit account does not know the age of the person or their So- 
cial Security number, because Social Security is associated by date 
of issue not birth date. So there is an issue there. They don’t know 
if the person is a minor or not, so they will most likely allow the 
account to exist and that causes what we have here, the child iden- 
tity theft problem. 

A solution that we offer up is to create a data base; we call it 
the 17-10 data base. That is a data base that has everybody, every- 
body from 1 day old to 17 years and 1 month included in this data 
base. This would be done through SSA, the Social Security Admin- 
istration. This has been bandied about a little bit, and so it is pos- 
sible everyone who is giving credit would have the ability to check 
that data base based on Social Security numbers. You would check 
that to make sure that person is not a minor. That would automati- 
cally, in a lot of cases, eliminate some of the child identity theft 
problems. 

Issue No. 2, medical identity theft: We all know the Presidential 
movement for 2014 is for all medical records to be online, and that 



121 


is quite daunting. Being in the profession of IT security, that con- 
cerns me. It always concerned me because 95 percent of our medi- 
cal information is being held by the small provider, who is least 
likely or least able to protect themselves because of resources. So 
it is already a predicament, but when you put everything online, 
it is easier for thieves to get. 

We have all heard the stories of persons, who got the medical bill 
for the foot amputation, and they never had an amputation and no 
one believed them. When they called the creditors, they didn’t be- 
lieve them. They made jokes about it. The person has to go to the 
billing office and show them they have both feet. 

That is sometimes what this leads to with some of the victims. 
We deal with the victims, and I get all of these fantastic stories 
about these things that happen. No one believes the victims. We 
are here to be the voice of the victim currently, right now. 

There are a lot of procedures that are in place, but they are not 
always followed or enforced, and that is why we have the situation 
I just mentioned where you bring the bill and show you haven’t 
had your foot amputated; and they still don’t always 100 percent 
believe you. 

So that is where we are when it comes to medical identity theft. 
We have medical identity theft red flag rules that will help out 
with medical identity theft coming up in the future, and what we 
do need are more privacy laws. 

For instance, if someone stole my medical identity and I found 
out about it and corrected it — and say I had diabetes — now it 
shows I don’t have diabetes, that is a problem health-wise. But I 
can’t go back and change that to diabetes because I can’t see my 
records anymore because the imposter has the right. 

So something is wrong with that story. I no longer have the right 
to my own medical records to make the change that I need to cor- 
rect it. 

Now there are some solutions — make an alias, a card that shows 
that there has been a mishap that occurred and you can track it. 
One problem is, if we do clear that record up totally, and they come 
back and strike again, you can be hit over and over again. So we 
do need some kind of record on that. 

Identity theft in the deceased, even when people die, those are 
the best people to get for identity theft because they are not able 
to watch themselves — or kids. So that is the perfect situation. In 
the kids’ case, you have 18 years to operate as an identity thief. 
That is a beautiful situation if that is what you are into doing. 

The problem we have with the deceased is when the death cer- 
tificates go out; they must all be tracked properly and notified. 

A lot of these solutions have been drawn up in my testimony for 
further reference. 

Last, in the world of identity theft, today is tomorrow. In other 
words, the thieves are way ahead. So we have to stay one step 
ahead. This is like riding a bronco, we don’t know where it is going, 
and we need more enforcement. There is no enforcement, so people 
don’t care to protect these situations. 

Thank you for your time. I look forward to answering questions. 

Mr. Clay. Thank you, Mr. Handy. 

[The prepared statement of Mr. Handy follows:] 



122 


itrc 

Identity Theft Resource Center 


P.O.Box 26333 
San Diego, CA 921% 
856.693.7935 
www.idtheftcenter.org 


Testimony 

Of 

Eric Handy 
On behalf of: 

The Identity Theft Resource Center® 

Information Policy, Census and National Archives Subcommittee 
Oversight and Government Reform Committee 

Identity Theft: A Victim's Bill of Rights 

June 17, 2009 
2154 Rayburn HOB 

2:00 p.m. 


In addition to my oral testimony, the ITRC theft victimization study. Identity Theft: The 
Aftermath 2008 and he found online at: http://www.idtheftcenter.ors 

http://www.idtheftcentcr.ors/urtmun2/mihlish/ii overt iew/Corporate Overview 



123 


Chairman Clay, Ranking Member McHenry and Members of the Information Policy, Census, 
and National Archives Subcommittee: 

Thank you for the opportunity to provide both written and oral testimony for your committee 
today and for your interest in the topic of the ‘'rights of victims of identity theft” and “the rights 
of consumers not to become victims.” My name is Eric Handy and I am here on behalf of the 
Identity Theft Resource Center (ITRC) as a personal representative of Linda Goldman-Foley, 
founder of the ITRC. I am here today to represent the “voices of the victim.” 

I am a specialist in victimization, compliance law and identity theft issues. I have over 10 years 
of IT Security experience working with industry experience in the following business sectors: 
telecommunications, high tech, health care, transportation, consumer industrial & manufacturing, 
and the federal government. I also hold certifications as a CISSP - Certified Information 
Security Specialist, CIPP/G - Certified Information Privacy Professional with specialization in 
Federal Government and am a PMP - Project Management Professional. I am also a PhD 
candidate on the subject of identity theft. 

Introduction 

What are the challenges facing today’s identity theft victims? What rights need to be added or 
modified to assist these victims? What needs to be provided to consumers to reduce their risk of 
victimization? 

In the conclusion of Identity Theft: The Aftermath 2008. ITRC always allows victims to have the 
final word. Today I would like to start by sharing a few of the victim’s comments: 

• Somebody filed a tax return and received my refund from the IRS. The IRS referred me to 
a taxpayer advocate who has NOT been an advocate! I have gotten the "run around" and 
I'm still going in circles! 

• lam dealing with criminal identity. People with the same first and last name as mine, 
but with different middle names, have committed crimes in the State of Florida. Because 
our names are similar, there is erroneous criminal information attached to my name. 
According to the stale of Florida, which keeps the records, I committed no crime. I still 
am frightened and fear lam going to be arrested for their crimes. 

• The person is still using my identity to work in the U. S. and I cannot stop her. I have 
been denied credit and new services because of this, even though I have a very good 
credit score. I don 't think the police are capable of finding her or solving this case. I 
have a lot of anxiety and fears as a result of my identity theft. 

• lam still concerned because as far as / know my personal info is still out there. There 
needs to be better laws and methods to help victims have more of a sense of closure. 

• Identity theft is a very isolating crime. You feel like no one understands or could. Some 
people say it is a victimless crime. I am a victim! I want people to know that! 



124 


ITRC is honored by your invitation to be the “voice of identity theft victims” and will continue 
to make its opinions available upon request to your representatives over the next few months as 
you grapple with this complex crime. 

The Classifications and Categories of Identity Theft Crime 

The ITRC classifies identity theft into five main categories: 

• Financial Identity Theft is when the imposter uses another individual’s personal identifying 
information, primarily the Social Security number (SSN), to establish new credit lines. The 
imposter may apply for telephone or utility service, credit cards, loans, or lease cars and 
apartments leaving the victim with a ruined credit record and score. 

o Subcategories of this crime include, but are not limited to, credit and checking account 
fraud. 

Case history: Somehow, my personal identifying information (SSN, name, birth date, 
etc.) were obtained and used to apply for instant store credit at various large stores, and 
approximately a dozen other merchants. Additionally, my personal credit card was 
"taken over" by these criminals. By calling Visa and posing as me, they changed my 
billing address, and claimed that they had lost the credit card. They then received my 
new Visa card in the mail at the fraudulent address. 

• Criminal Identity Theft occurs when a criminal gives another person’s personal identifying 
information, in place of his or her own, to law enforcement. These cases range from 
misdemeanor infractions up to and including felony level crimes. The victim problem is that 
there is a record created by an arrest or the issuance of an arrest warrant. As a result, these 
filter up through a system not designed to be altered, nor designed to allow for the removal of 
records. The victim faces rejection in seeking employment, the possibility of termination, 
possible incarceration, and the possible need to hire an attorney to prove his/her innocence. 

o Checking Account Fraud might result in Criminal Identity Theft. The victim’s 

information is used by the imposter for passing bad checks. In some cases the victim’s 
information may be the only real thing on the bad check. Many states prosecute on bad 
checks or opening accounts fraudulently. The victim is squarely in the sights of the DA. 


Case history: A recent case involved a woman who lives in Pittsburgh. Her imposter had 
several warrants in Kentucky for opening a fraudulent checking account and writing bad 
checks on it. The victim was 8 months pregnant at the time of the crime. She M’as 
restricted by her doctor to bed (in Pittsburgh) and clearly incapable of committing this 
crime. The bank finally cleared her but forgot to notify the prosecuting attorney of the 
change of facts and status so the warrant could be withdrawn. She has incurred legal 
expenses as well as other expenses in clearing her name and rectifying the inaccurate 
records from various databases. 

• Identity Cloning or Identity Assumption is the third category. This imposter uses the 
victim’s information to establish a new life. He or she actually lives and works in the 
victim’s identity. This crime usually involves financial issues, governmental issues, and 
possibly criminal identity theft. 



125 


o The financial issues may include information on a victim’s credit report that is not his. 
However, the bills are paid monthly. Many victims dealing with this find that companies 
prefer not to close the account because the account is current. These companies do not 
recognize that thieves may pay bills in order to maintain stolen identities for long periods 
of time. 

o Governmental issues are represented by undocumented immigrants, wanted felons, those 
avoiding tracking (i.e. getting out of paying child support or escaping from an abusive 
situation), and those who wish to leave behind a poor work history, criminal record, 
and/or a bad financial reports. In essence, they are “starting over”, but using your name 
and identity. 

o This type of crime can necessitate having the victim deal with tax issues, benefit fraud, 
criminal records, and erroneous secondary data aggregator records. 

Case history 1 : Two nights ago, l was arrested as part of a four-year ongoing theft of my 
identity. The arrest was over bad checks written in Lincoln, NE near where I reside. 

The issue, other than the arrest and all that goes with it, is the fact that J.P.M. was able 
to open fraudulent accounts because the Nebraska DMV issued her a license with her 
picture and my information. 1 don't know what documentation she provided them, but we 
clearly do not have the same physical features. This should have sent up a red flag to the 
DMV. As a result, J.P.M illegally used my identity to spend almost $40, 000, with new 
credit cards and with fraudulent checks. 

Iam doing the best lean to be compensated for the money spent on bail, loss of work 
time, personal stress, which all occurred while I was finishing my undergraduate degree 
and throughout my master's degree. Needless to say, this has interfered with my 
performance in school because of the time it takes to free myself as a citizen and as a 
consumer. The arrest was the last straw. 


Case history 2: Victim lives in San Diego and is receiving disability benefits. The 
imposter is living and working in IL. The fraud is impacting her disability benefits. The 
IRS and SSA have been contacted. Victim is fearful of losing housing and being unable 
to cover living expenses due to the lengthy time of recovering her good name and 
clearing the records. 

• Medical Identity Theft is a growing problem in multiple ways for the nation. It is best 
defined through the problems faced by the different victim groups affected by this crime: 
o For the person whose information was used, “the victim”: The financial impact to the 
individual as negative debts and delinquencies are reported and recorded on the victim’s 
credit report. When collection agencies get involved in debt collection, judgments/iiens 
could be issued against the victim. 

o To the medical facility and health providers: The expenditure of dollars in treatment, in 
terms of time, equipment and medical resources, for which recovery will be nearly 
impossible. There are hundreds of hours expended in collection attempts, as well as the 
additional time spent by both the victim and the company to clear up the financial issues 
created. 



126 


o To the government and business systems: There is the issue of benefit fraud and the 
potential of improper denial of benefits due to abuse by imposters. Being denied care due 
to the exhaustion of benefits is a double edged sword. The individual’s health could be 
placed in greater jeopardy by a delay in treatment while the fraud is detected, identified 
and then corrected. The provider could be open to lawsuits for failure to provide timely 
and adequate care to the true patient. 

o The creation of data records containing information that do not correctly reflect the 
identity assigned. Due to H1PPA, it is nearly impossible to remove medical records 
“created” by the imposter. Privacy issues also prohibit a victim from seeing those 
records if they declare they are a victim of identity theft, 
o The denial of coverage due to the consideration of “pre-existing conditions” listed as part 
of the imposter’s health condition. 

o The potential issues of mixed data which could cause an incorrect diagnoses or treatment. 

Case history: My ex-husband and his employer used my Social Security number to file 
medical claims on my health insurance. My ex has not been covered on my insurance 
since 1999, and / have changed employers and insurance carriers since that time. 
However, claims for February 2002 through May 2002 have been filed on my current 
insurance. He has obtained the information without my knowledge. I found out about 
the claims after receiving Explanation of Benefit forms from my insurance provider. The 
claims have been denied, so the insurance provider states that they are doing their job. 
The insurer will not file a report with the police. 


• Commercial Identity Theft is similar to Financial Identity Theft except the victim is a 
commercial entity. 

o Commercial entities do not have credit reports. They have no means to find out if their 
EIN is being used by an imposter to open new lines of credit. As of this date, there is no 
credit reporting system for companies operating under an EIN. (Employer Identification 
Number) 

o Commercial entities don’t have access to fraud alerts since they don’t have credit reports, 
o Criminals open checking and credit accounts using the identifying information for a 
company, order products and may even try to conduct business as that entity. They can 
aiso create fake checks using the information from the commercial entity for payment. 
Due to the nature of many large businesses, this may not be caught until an audit is done 
and someone realizes there are extra checks, duplicate checks or checks out of order, 
o Unfortunately, this is a yet-to-be-explored topic and good resolution steps for these 
victims are few. Due to time limitations, 1TRC will not be addressing the issues of this 
crime today. 

Findings and Recommendations 

In the next section, ITRC will introduce various issues that we believe if they were properly 
addressed would have a positive effect on identity theft victimization in the United States. This 
is not a complete set of guidelines, but focuses on some of the major issues facing victims today. 



127 


1. Child Identity Theft: 

Finding: Children should have the right to have their identities protected in such a fashion 
that upon reaching their majority they are able to start their adult lives with a clean slate 
and not as a victim of identity theft. 

With the above goal in mind, the first area of consideration should be with the current policy of 
issuing Social Security numbers (SSNs) to minors/infants. This practice creates an unrestricted 
1 8-year window of opportunity for identity thieves. The issuance of SSNs to minors originated 
upon the request of the IRS to combat tax fraud. The flaw with the system is that there is no 
difference between a Social Security number issued to an infant today or one that is issued to an 
adult immigrant. Social Security numbers are tied to a date of issue, and not a date of birth. 

This allows imposters to acquire and use Social Security numbers of children for committing 
identity theft. 

What most people do not realize is that the creation of a credit file is based on the information 
provided in the first application for credit. Until then, a credit file does not exist. That first 
application becomes the “de facto” baseline of information, taken at face value, as the true 
information about that “person.” If a child's Social Security number is taken, and the date of 
birth is modified to indicate 18 years of age or older, a person can apply for credit thus creating a 
credit file. The thief can use a different name and address, and no one would know that this was 
a fraudulent application. The true recipient of the Social Security number may not even be 
aware of the situation until they apply for their first line of credit, after their 1 8th birthday. 

Businesses and credit issuers complain that they have no way of knowing if a SSN belongs to a 
minor. That is factually true. In The Aftermath the following comments were provided by a 
compliance manager of a data privacy and identity theft program of a major utility company: 

The void of a credible nationally recognized data source to validate minors ’ credentials 
leaves businesses blind to the facts. This void means businesses may not be able to deny 
credit or services under many very complicated regulations without reasonable 
information that the identity is fraudulent. Without a data source confirming the identity 
credentials belong to a minor, many businesses simply create an account and require a 
security deposit. 

Minors may not enter into a legally binding contract. In these cases, the companies always suffer 
the loss of services or goods. Clearly, they would like a solution to this issue. In today’s 
economic environment businesses don’t want to absorb the additional fraud loss. 

Recommendation: The creation of a data file called the “17-10 Database.” The “17-10 
Database” would be a list that contains the name, month, year of birth, and Social Security 
number of every individual from the age of 1 day to 1 7 years and 10 months. This file should be 
sorted by Social Security numbers and provided twice a month, without charge, to the 
appropriate credit reporting agencies, all Departments of Motor Vehicles, and selected 
companies doing the prescreening of credit applications under the guidelines of the Federal 
Trade Commission. This solution has been discussed with the Social Security Administration 



128 


and is possible. Both children and businesses benefit from the 17-10 Database. According to the 
FTC Complaint Call Center Report, 5% of all complaints are about minors. ITRC feels that 
there are far more child related identity theft cases than are being reported. More investigation is 
necessary to quantify this debilitating crime. 


The benefits of using this system are as follows: 

• This would effectively freeze the Social Security numbers of all children until they are 17 
years and 10 months of age. It would allow the CRAs to warn creditors that the Social 
Security number on the credit application belongs to a minor, ideally stopping the 
acceptance of the application and subsequent fraud loss. 

• This would prevent the spread of any additional information that could be used for 
identity theft while alerting a business of a possible fraud. All that need be provided to 
the credit issuer is the comment: “the Social Security number belongs to a minor.” 

• This would provide age support information to all the DMV's for the issuance of drivers 
license. 

• This would eliminate the practice of utilizing a child's Social Security number to obtain a 
fraudulent driver's license after real driver’s license has been suspended or revoked. 

2. Identity Theft and the Deceased 

Finding: Death should not diminish a person’s right to be protected against identity theft. 

Despite a person’s death, a SSN may continue to be active and could conceivably be used for the 
extension of credit. Currently, the Master Death Registry, which the Social Security 
Administration contributes to, does not include the names of all deceased. Information is added 
to this list in a variety of methods, some of which are consumer-generated. 

Unfortunately, thieves scour the obituaries and even cemeteries for people who died as children 
or young adults. They then apply for birth certificates and Social Security replacement cards to 
assume that identity. These documents have been known to be reproduced many times and sold 
to multiple people. After all, who is watching a credit report of a deceased person or child? 

Several years ago ITRC worked with a woman whose 6-year old deceased daughter’s identity 
was continually being used by an adult woman for credit, work, and even to enroll in Reserve 
Training. Because all the records use her daughter’s SSN information, collection agencies still 
call this bereaved mother 1 5 years later about accounts her daughter never could have opened. 

Recommendation: All governmental agencies that issue death certificates shall notify the 
Social Security Administration of a death with a specified paper or electronic form within 10 
business days of the issuance of a death certificate. Information would not be included in the 
Death Registry if submitted by any other entity. If the identity of the decedent is not known at 
time of death, the issuing agency would forward a copy of the certificate issued when positive 
identity is established. 



129 


• The SSA notifies all credit reporting agencies/repositories within i 5 business days of any 
SSN that should be flagged as deceased. 

• Any credit reporting agency that receives such notification shall: 

o Enter a “deceased alert statement” in the deceased’s credit report declaring: This 
person died on (dale). New credit lines should not be extended to this name 
andbr social security number from that date forward. 

• In the event of credit applications made after date of death, the credit reporting 
agencies/repositories shall send a SAR (suspicious activity report, form to be determined) 
to the following groups of people: law enforcement agency in jurisdiction where the 
person last lived, law enforcement agency in the jurisdiction where the application 
originated, closest living relative/executor of estate. 

• Credit reporting agencies/repositories shall include the “deceased alert” statement in 
reports provided to all credit issuers requesting information on said person, no matter 
whether a score, summary or full report is requested by the credit issuer. 

• All credit issuers must observe the deceased alert. 


3. Protecting the Social Security Numbers of Medicare Participants and Military 
Personnel 

Finding: Seniors and military personnel should be protected from needless exposure to 
identity theft caused by the requirement of carrying a card with a SSN. 

Currently the Social Security Administration and U.S. Government uses Social Security numbers 
as identifying numbers on cards carried by Medicare participants and military personnel. We 
must make progress in finding alternative solutions and stop exposing the SSN of these two 
special interest groups. This topic has been introduced by federal legislators for more than 7 
years now. 

On July 6, 2003, Parade Magazine’s (in the Sunday paper) centerpiece discussed identity theft. 
Even then, people were concerned about lost and stolen wallet issues and were angry at 
governmental agencies (SSA, military) or health providers because of the placement of the SSN 
on a card they must carry on a daily basis. 

Case History: T's identity was stolen by her doctor ’s receptionist from the information 
on her health card. She found out when applying for her first home loan, her dream 
home. Months later, after clearing her records, spending her own time to research how 
her thief got her information and used it, and seeing another family move into her home, 
she was able to convince authorities to prosecute her offender. The result- the thief is 
now living in a halfway house, driving the car she bought with T’s identity and working 
for another doctor as a staff member. T was finally able to buy a house almost 2 years 
later, at a higher purchase cost, with a higher interest rate due to the multiple accounts 
that had been opened in her name after the placement of a fraud alert. 



130 


Recommendation: If the SSN must be in the federal database for benefit or identification 
purposes, then we must find a way to assign a random User ID number that will be printed on the 
card that is carried. This User ID number is then used as an identifier on multiple forms that are 
filled out by the individual. In the case of the military, this use might involve dozens of papers 
annually. The excessive exposure of SSN is a weak link in our national risk management 
system. If the federal government expects the business community to protect SSNs, it must lead 
by example. 


4. Overuse of the SSN as an identifier by other entities 

Finding: Every individual should have the right to have their Social Security number used 
responsibly. Over exposure of the SSN could lead to a higher risk of identity theft. 

The following categories demonstrate the problem of the overuse of the SSN: 

• Employer use of SSN as individual employee ID number, including public display of 
such, e.g., timecards, timesheets, cash register use number, badges, etc. 

• The use of the SSN as an identifier by a business group, printed on a card carried by the 
person on a regular basis. 

• The inclusion of a SSN on printed material that is mailed. This could lead to interception 
by another person at any point in the mail delivery system, starting with the printing 
company. 

• Requests by business for Social Security numbers in situations that do not involve 
employment, taxes or the extension of credit. 

Recommendations: Private entities may not use the SSN other than for tax purposes or purposes 
designated by either state or federal governmental agencies. They may not publicly display, use, 
sell or share the information. ITRC will be happy to assist in providing language for such a bill, 
modeled on several state laws that address this issue currently. This ruling would eliminate the 
use of a SSN as a student Identification number and health insurance policy number. 


5. Collection of Identity Theft Statistics 

Finding: Victims of Identity Theft should have the right to accurate assessment of the 
prevalence of the crime. 

There are constant requests for accurate statistics regarding the number of identity theft cases 
nationwide. Such information is not available due to the fact that identity theft is not a tracked 
crime. Crime data for certain crimes is collected annually by the Federal Bureau of investigation 
for study and analysis. Identity theft is not one of these crimes. Even if identity theft were 
added to the list of tracked crimes this would not generate accurate statistics. There are still 
states within the United States that do not have laws that require local law enforcement to take a 
report. 


Recommendations: 



131 


• Identity Theft should be added to the current list of tracked crimes for statistical analysis. 

• Mandate that to qualify for any federal financial support, law enforcement must report on 
identity theft crimes in their jurisdiction. Use of the Federal Trade Commission’s Identity 
Theft Statement should make the required reporting time a non-issue. 

• Creation of a program where all identity theft reports are gathered for review and 
analysis. Data and intelligence gained from this program to be provided to LEA for case 
use. 


6. Criminal Identity Theft: 

Finding: Criminal Identity Theft victims should have standard mitigation processes for 
their cases. 

The victim in Criminal Identity Theft faces a secondary wounding due to the placement of 
his/her personal information on a criminal record. Warrants and records under the victim’s name 
can be cleared however the re-issue contains the victims information as an AKA (Also Known 
As) descriptor. The victim faces the obstacle of proving that they are not the person being 
sought by law enforcement, as well as to employers or prospective employers. To remove the 
AKA information would be detrimental to the law enforcement community, while providing the 
imposter with a cleaned identity to use to mislead law enforcement again. 

Recommendation: In any case where an NCIC file has been created using the information of a 
real person as an alias, the biometric and personal data of the real person should be captured and 
marked to clearly identify the true victim. Additionally, there should be a standardized method 
of clearing one’s name in the event of criminal identity theft at the local, state, and federal level. 

Recommendation: The creation of a national NCIC Identity Assumption Victim’s Registry. 
Through this system victims would receive a card they could use anywhere in the U.S. to show 
that a pre-existing criminal case of identity theft has been recorded. Currently, only a few states 
have a “passport” program and it can not be used out of state. Details of the creation of said 
registry and the development of the program would need to be assigned to a taskforce including 
the FBI, other government agencies, and victim advocates. 

Recommendation: It should be required that any data aggregator or background screener must 
have a working policy to correct any incorrect information in their possession when they are 
notified by consumers that their information is not correct. Secondary data aggregators must 
maintain updated records reflecting monthly changes in the primary records they purchase. 


7. Security Breach Notification 

Finding: A national security breach notification law would add to best practices against 
fraud and identity theft. A breach notification should be a right provided to all individuals. 



132 


While people receiving breach notification letters are not identity theft victims, their information 
could be at higher risk of being used fraudulently. The American public is highly concerned 
about the lack of security of personal identifying information in the workplace and marketplace. 
ITRC has been studying data breaches since 2005, observing trends in the causal factors that lead 
to a breach of personal identifying information. It is dear from the passage of laws in 44 states 
and the District of Columbia that breach notification is a topic consumers want addressed. 
However, this patchwork of laws has made it difficult and costly for businesses to comply with 
said laws. 

Recommendation: The creation of a federal breach notification law that would equally apply to 
all governmental agencies and companies. ITRC recommends the following items for inclusion 
of this bill: 

• Notification of a breach should be done in a timely manner, without any hint of “a need 
to prove risk of or substantial harm.” Due to the sophistication of fraudsters and their 
intimate knowledge of laws and law enforcement procedures, it is impossible to declare 
that information that has been out of the control for even a short period of time could not 
have been read or copied. It could be warehoused until people stop looking for any 
indication of a breach. 

• What information fields were breached should be included in the notification letter so 
that consumers can take appropriate steps. This would also avoid having the consumer 
take unnecessary steps that could harm the consumer as well as be costly for industry. 

• The extension of a 7-year fraud alert with the notification letter, or the allowance of a free 
credit freeze, should the consumer prefer that option. This extension should also permit 
the affected person to receive a credit report twice a year, the same as victims of identity 
theft. 

• This law should be the standard for all breach notifications, but should not pre-empt state 
laws with tighter requirements. 

• There should be a state right of action, plus a business right of action in the event that a 
subcontractor costs a business expenses it would not incur otherwise. 

• Notification needs to be provided no matter in what form the exposed data was stored. 
Currently most legislation seems to have overlooked that we are still a paper driven 
society. According to ITRC statistics, in 2009 about 25% of all breaches were paper 
breaches 

• A requirement that the notification letter include a contact phone number in case a 
consumer has additional questions. 

• The legislation should have a provision giving industry the ability to use substitute means 
of notification in specific circumstances to save money should the affected population be 
of significant size. 

• ITRC recommends the creation of one national master database which includes copies of 
all notification letters and the electronic publication of said list. One agency that might 
be tasked with this would be the Federal Trade Commission. This list should be updated 
weekly. It should be set up similar to the one used by the New Hampshire Attorney 
General which allows various field sorting. 

o This national breach database should be considered a way for victims to find out 
about breaches. However, equally important, a single database provides a source 



133 


to research data breaches and provide further information needed to help control 
this problem. That information could be added into the “Red Flags Compliance 
Guidelines” or become the basis for a new set of information protection 
guidelines. 

• This legislation should not require entities to purchase any consumer products for 
remediation purposes. 

• To encourage safe information handling practices, and reward responsible companies or 
agencies that have adopted good security measures, if the data lost was encrypted or 
rendered unreadable by strong protective measures (password protection not included), 
then the entity should not be required to send out notification letters to the affected 
individuals and should not be included in the master notification list. 

• However, the company should still be required to notify the agency designated to compile 
the national breach list so that statistics about these breaches (encrypted or strongly 
protected) can be monitored. 


8. Patient/Victim Rights as a Result of Medical Identity Theft: 

Finding: Medical identity theft victims should have the right to see their medical records, 
including records in which an imposter has used their information fraudulently, and have 
that fraudulent information removed from their files. 

When a person finds out that an imposter has gained medical care using their medical insurance 
policy number, name or Social Security number, he/she has both financial and medical record 
issues to correct. When attempting to correct or remove the medical records created by the 
imposter, the victim is fighting multiple HIPPA rules that were not written in a manner to allow 
correction of medical identity theft. 

Years ago, when a victim asked a creditor for records on a account they claimed was identity 
theft, they were denied access to those records because the records “belonged” to the imposter 
and it might be a violation of privacy. That was corrected with the passage of FCRA Section 
609e and 605b which allows for the blocking of fraudulent information. 

Recommendation: A similar process needs to be put into place for medical files. The victim 
needs to see what information is on their own medical records that may be part of the records 
of the imposter, and have the right to redact this information from their own medical files, 
HIPPA does not allow medical records to be deleted. This could be addressed by the creation of 
a second file linked to the primary true file and a notation that a second person may be using the 
victim’s information. Red Flag Guidelines for authentication of patients will help but not solve 
existing problems. This could become a growing problem as we move toward centralized 
electronic medical records. 


9, Collection Agency Issues 



134 


Finding: Identity theft victims should have the right be treated as victims by the collection 
industry, and have a process created that will regulate collection agencies when dealing 
with “reported” fraudulent accounts. 

The Fair Debt Collections and Practices Act (FDCPA) was created to regulate the collection 
industry while trying to recover legitimate debts. This industry is a necessary part of the 
business community and plays a vital role in minimizing business loss. 

The law does not, however, address the issues that are presented by victims of identity theft who 
are not disputing a collection, but rather are reporting that the account never belonged to 
them. These victims have the right to a regulated process that collection agencies must follow 
once they have been presented with the proper credential indicating that a fraud has occurred. 

Today, many collection agencies bounce victims back to creditors who then refer the 

person back to the collection agency that “owns the account.” Victims deal with 

customer service representatives who are used to “getting the money.” 

Recommendation: Congress should either create new regulations or add language to the 
FDCPA regarding identity theft issues. This language should include: 

• Once a victim has provided standardized documentation of a fraudulent case, a set of 
procedures should be created to clear the record from both the collection agency files 
and the original creditor (or company that now in possession of the record). 

• Once a victim has provided this documentation, all communications will be of a 
nature to help resolve the situation. Debt collection and “asking for the money” will 
not be legally allowed after documentation has been provided in legal format. 

• Once a case has been declared “closed due to fraud,” it cannot be sold, traded or 
provided to another collection agency. Additionally, the initial collection agency 
contacted by the victim is to complete the investigation/transaction until complete 
even if it exceeds the 7-year deadline discussed in the FDCPA. 

• A letter of clearance shall be provided to the victim indicating the fraudulent account 
has been marked as such, removed from the victim’s credit report, and notice has 
been provided to the creditor. 

• Private right of action shall be provided to governmental agencies and the victims for 
disregard of the new standardized identity theft procedures. 


10. Secondary Impacts of Identity Theft 

Finding: Identity theft victims should have the right to protection from punitive actions 
taken against them by secondary entities until an investigation is complete and credit 
reports and credit scores have been corrected. 

In the Aftermath Study questionnaire, and while working as victim advocates, ITRC has asked 
victims if there are any secondary effects we need to deal with due to identity theft. Many 
victims still find out about the crime when being denied credit, employment or loans. This 
occurs because their credit and consumer reports have already been impacted by fraudulent 
activities of the imposter. This misinformation may take months to clear. While the Aftermath 
Study shows a steady decrease in the time needed to clear all issues of misinformation, 53% of 



135 


respondents reported it took up to six months. Nearly 30% reported it took 7-23 months and 
another 20% took more than two years to clear their name. 

Unfortunately, that delay does not help a victim who found out about the crime while applying 
for a home loan or other time-sensitive issues. While “trade-line blocking,” a right under 
FACTA, does provide some relief, it does not apply to consumer reports used for employment. It 
is sometimes refused by the creditor, who has found the victim “guilty” despite a police report 
and/or proof of other crimes by the perpetrator. Lower credit scores have resulted in the denial 
of new lines of credit or tenancy, higher auto and home insurance rates. It may cause the closure 
of credit cards not affected by the case, and denial of employment or promotions. These are 
situations that are not easy to rectify. The denial of new credit and the closure of existing cards 
appear to be at an all-time high. 

Recommendation: Our legal system is based on the principle of “innocent until proven guilty.” 
The opposite is true in identity theft. Victims must prove they did not create the fraudulent 
accounts or records that resulted in a “risky” credit or consumer report. Victims should have the 
right to have their report marked as “under investigation due to reports of fraudulent activity” if 
they provide a confirmed and valid police report. Companies that might take an adverse action 
based upon a negative consumer/credit report, should be required to suspend such action until 
that remark is removed and the report reflects the correct information. Additionally, victims 
should have the right to send affidavits with valid police reports to the individual companies if 
that company has already taken negative actions. Upon receipt of that paperwork, the company 
must restore the victim to their prior status until the case is resolved. 


In Conclusion: 

The crime of identity theft continues to grow and evolve along with the changes in our society. 
The thieves take advantage of new opportunities provided by weaknesses in technology and 
document handling, and changes in consumer patterns. In 1970, the writers of the FCRA could 
not have predicted the credit trends and practices of 2003, let alone 2009. 

There will be a continual need for updating laws to provide identity theft victims the rights and 
tools they need to restore their good names. Congress should consider having a subcommittee 
specific to identity theft and cybercrime issues. This would allow members to stay as current 
about this crime as the industry experts, businesses and criminals. As a PhD candidate in 
identity theft, I know that even a short gap in reading the research and media articles about 
identity theft makes one out-of-touch with this fast-changing subject. 

As you consider the rights of victims and laws that will either assist victims or limit the risk of 
becoming a victim, it is critical that the Members of Congress remember that these laws will 
need to be revisited and modified over time. In the world of identity theft, today is tomorrow. 
Criminals are already planning ways to commit new crimes we have not yet anticipated. 

Information trafficking and the selling of fraudulent documentation was not even a consideration 
by many 10 years ago, but they are now a major area of concern. ITRC is constantly 
researching, reviewing and considering methods to adequately address the identity theft issues of 
today. We continuously consider these questions from the perspectives of “What is good for ali 
parties involved,” and “How can the crooks exploit this?” 



136 


ITRC believes that our nation may have become desensitized to the average victim of identity 
theft due to the sensationalism of extreme cases that make the news. The average victim has 
deep feelings of rage, a sense of powerlessness, annoyance, isolation, personal financial fears, 
betrayal, and a sense of being an outcast. Their crime is not over in a matter of minutes but can 
be measured by months and sometimes years. In the Aftermath Study this year, 3 1 % of all 
respondents felt “sick of being suspect or fighting the system” and 12% felt “they had lost 
everything.” Most people truly don't understand how long it takes to emotionally recover from 
the life changing events that follow the initial identity theft moment. 

ITRC will continue to take a strong stance for identity theft victims’ rights, and continue to be 
the voice of the victim. When a victim faces so many obstacles that they give up, or commit 
suicide, something is seriously wrong. This is not a victimless crime. Identity theft victims are 
trauma victims. They need to be validated, informed, and acknowledged as victim and not the 
cause of the crime. Victims of identity theft need to know they are not alone and that the crime 
committed against them is real, and taken seriously by their government. 

The recommendations in this written testimony are not structured in legal language, but rather 
are guidelines for legislative action. ITRC would be honored to serve in any manner to help 
create the language of these laws. It is a daunting task to both help victims, and also make sure 
that few loopholes are created in this type of legislation. 

Through our testimony we introduced you to some of the victims who have helped us to 
understand the changes that must be made in the areas of victims’ rights. We hope their stories 
illuminate the issues as clearly for you as they have for us. 


Thank you for your time and consideration. 

Eric Handy on behalf of the Identity Theft Resource Center 


Addendum: 

Case history: I became a victim of identity theft in March 2001. / found out when the person who 
had my social security number tried to open a credit card with a bank that l already had a card 
with. The woman was not able to give my correct birthday. They contacted me but they gave me 
a hard time saying that it was my daughter. They suggested that I contact the credit agencies 
about a fraud alert. That is when 1 found out that the person had many credit cards and a cell 
phone and they even bought a computer from Dell. Since I found out early / was able to stop 
almost everything before it was way out of hand. / filed a report with the Dallas police 
department and talked to a detective on a regular basis , only to find out they would do nothing. 
They had the address to which the credit cards and computer were sent but they would not go 
there. They even had another address where the person used a credit card in my name to buy a 
pizza. It took many months to clear everything up and I still have the fraud alert on my report for 
seven years. This is a crime that is to easy for someone to do and they get away with it because 
our laws are too easy and the officers are not trained on this type of crime. 1 feel I am luckier 
then most because / found out early and was able to clear up the damage within a year. 

While you know my story, that only tells part of the picture. What I discovered disturbed me 
greatly: 



137 


1. Fraud alerts only help a little. Most places do not even honor them. So I'm not sure they 
help very much. 

2. After I put the fraud alert on, they still opened a few more credit cards. All of the 
accounts they opened were done on the Internet. 

3. I found that the credit card companies did not care much, they just closed the accounts. 
But before they will dose the accounts you have to prove to them it was not you who 
opened the account. 

4. They also made you wait on the phone a long time and you are transferred t o many 
people before you found one that could help you. Most of the people I talked with acted 
like they were not educated enough on the subject. 

5. They treat you like it was your fault and most of them need more training on this issue. 

6. The police are no help at all. 

7. The credit agencies take forever to remove the fraud accounts from your file. 

8. The victim spends hundreds of hours writing letters and phone calls trying to remove the 
damage the thief caused while they are free to go to the next victim. 

9. The Laws should help the victims, but you are alone when it comes to identify theft. 



138 


Mr. Clay. I thank all of you for your testimony. Let me start the 
questioning with Ms. Allen. 

Ms. Allen, will the move to electronic medical records bring with 
it an increase in medical identity theft and why? Why is that? 

Ms. Allen. I believe it will, because you are aggregating data 
and making it easier for the criminals to detect. I think it is a good 
thing. I am not opposed to this happening, but any time you make 
it easier, in a way, to create a larger data base, it makes it more 
attractive to thieves. 

The thieves are going to be interested in it because they don’t 
have insurance or want to have insurance to cover some procedure 
in a hospital. It may be that they want to get access for prescrip- 
tions for drugs, and that is a big issue for having the data for le- 
gitimate drugs, but drugs they may be after. 

The third part of it is, they will be looking to scam the system, 
whether the Medicare system, Medicaid, or the hospital system. 
There is a lot of money flowing right now that it would be very 
easy, if you had a false ID, to be able to access. 

All of this would be prevented if, when they were developing the 
procedures and requirements for the medical data bases, they 
make sure that there is adequate security and layers of security 
and the technology that will help to limit the access to that data; 
that we will make sure that only those that have — that are enabled 
or should have access to it can have access to it. But it is going 
to bring security problems. 

Mr. Clay. Mr. Rotenberg, Mr. Handy addressed an issue that is 
a mystery, I guess, to lawmakers here. How do we rectify that per- 
son’s medical record that has been stolen so they can get back to 
it to correct it when the imposter, in accordance with our laws, now 
has rights to that medical record that the imposter stole? How do 
we fix that? 

Mr. Rotenberg. Sir, I need to look a little more closely at the 
relevant regulation. 

I know a lot of the agencies are working to implement the pri- 
vacy law that was recently signed, the HITECH Act. But my in- 
stinct would be that there is going to be some entity out there, 
maybe it is the hospital, maybe the insurer, but somebody has that 
record. And whoever has that record has the responsibility to en- 
sure that it is accurate. 

I don’t think that they get to say to the actual patient, “we are 
terribly sorry there has been some confusion here; you are going to 
have to sort it out.” It is the organization that has the record that 
has to sort it out. You are going to have to put some new incentives 
on those organizations that have the record and say, “There is a 
problem here and you are the ones who are best able to fix it.” 

Mr. Clay. Let me ask you, Ms. Allen, why do you feel a Federal 
preemption law on privacy is better than those in individual 
States? 

Ms. Allen. I think we have a complex system of State laws, and 
it makes it more expensive for any business. 

For example, 95 percent of health care providers are small busi- 
nesses or small practitioners. It becomes almost impossible for a 
small business to understand what the privacy laws are in each 
State; therefore, they sometimes they don’t pay attention to it. 



139 


So if you had one Federal law, it would be easier to make people 
aware of it and consistent. And it would be more cost effective; it 
would be better for consumers because they would understand 
what their rights were in each State. And there are some excellent 
laws out there. There is a new Massachusetts law that might be 
a model. 

One of the other issues, it has to be on all businesses, not just 
on financial services companies, because all businesses have sen- 
sitive data either about their employees or their customers. And so 
it needs to be something that goes across industries. 

Mr. Rotenberg. I want to speak briefly on this issue because it 
is one that people in the privacy community feel very strongly 
about. 

I think it would be a tragic mistake to have Federal preemption 
specifically in the area of identity theft because one of the things 
that we have observed over the last several years is that the State 
legislatures, which are close to this problem, are coming up with 
new solutions to try to respond as they uncover new problems. 

The Federal law is a very good baseline, but in California, for ex- 
ample, they just recently amended their identity theft to deal with 
this problem of medical identity theft, because they were now expe- 
riencing a new problem. If they had been preempted, prevented 
from doing that, I think many more people would have been suffer- 
ing as a consequence. 

Mr. Clay. Ms. Allen, you recommend the government conduct 
more research in this area of identity theft. Could you be more spe- 
cific and how would you propose more standardized approaches to 
dispute procedures? 

Ms. Allen. I think public funding should be available — and it 
could be administered through the FTC or the DOJ or whatever 
the appropriate agency is — but first of all, to really track the cor- 
relation between data breaches and actual incidents of identity 
theft, because it is growing. 

There are arguments on both sides that you can have data 
breaches of millions of records, but only a few turn into identity 
theft. I would argue that many of these organized criminals are 
holding that data. And the last time I testified before you, the CIO 
from the State of Missouri talked about apprehending a criminal 
who had stolen records from the University of Missouri, and they 
were going to hold it for 10 years. That is strategic planning. 

So I think we have to look at the correlation between data 
breaches and incidents of identity theft and track that over time. 
I think we have to look at what policies and procedures are already 
in place, including legislation, and how effective is it; and a good 
example of that is the credit reports or credit freezes, and track 
over time how effective that is. 

I have mentioned we are on the tip of an iceberg. And I come 
from the cybersecurity perspective, and I think it is going to blow 
open what is happening out there in terms of the access to data 
from cybersecurity breaches. We need to be ready and prepared to 
help the victims and have the layers of security, but we have a war 
coming. 

Mr. Clay. Thank you. 



140 


Mr. Rebovich, what do you propose to bring the treatment of 
identity theft victims in line with the way that the criminal justice 
system treats victims of other types of crime? 

Mr. Rebovich. Frankly, I think we are behind in doing this as 
a society. 

The treatment of identity theft victims, I would say, is — I would 
sort of call them the second level of seriousness, where it should 
be a higher level of seriousness that we address. In other words, 
even though it is not a physical assault, it is an assault upon the 
finances of the people who are victimized. 

My feeling is that actually the term “identity theft” has become 
sanitized to the point we are accepting it as, yes, it is a part of life. 
I think we have to change. I think we have to change our perspec- 
tive as a system, the criminal justice system especially. 

If it was a victim of domestic violence, as a society, we would 
make sure that person who has been victimized gets all of the pos- 
sible help that they can to recover. Right now we are not doing 
that; we are not doing that with identity theft victims. 

I am not saying that the particular crime is on the same level 
as a violent crime, but I think we have to treat it with more seri- 
ousness. 

Mr. Clay. Usually it is a financial harm that is committed so we 
need to first repair the financial damage that occurs and any other 
damage. 

Mr. Rebovich. I would say the financial harm can be very seri- 
ous and also lead to psychological harm and emotional harm. That 
is something that I think criminal justice research has not really 
tracked very effectively: What’s the long-lasting harm that it brings 
to people who are victimized? 

Mr. Clay. Ms. Wallace, the Identity Theft Assistance Corp. has 
unique data-sharing agreements with several government agencies 
and private industries that are used in its mission in the investiga- 
tion and prosecution of identity crime. 

Can you share this uniqueness with the committee at this time? 

Ms. Wallace. Absolutely, Mr. Chairman. 

As I mentioned very briefly in my testimony, today and for years 
individual companies have shared information about their own ex- 
periences with law enforcement. And they will work on individual 
crimes. 

But to do the best possible job today, as some of the other wit- 
nesses have said, this is cybercrime. It may involve multiple wit- 
nesses across multiple jurisdictional lines, so you really have to 
have Federal, State and local enforcement agencies working to- 
gether and data from multiple sources. That has been the key to 
success of the regional identity theft task force. 

For example, there is a great task force in St. Louis that has a 
great record of bringing together St. Louis County and the district 
attorney’s office and FBI and Secret Service to work on a collective 
basis, so when they have information from various jurisdictions 
about multiple victims across jurisdictional lines, they can do a far 
more effective job in using their limited resources to catch the 
criminals. 

Mr. Clay. How do we get better procedural help in the resolution 
of cases? How do we establish better clearance procedures in na- 



141 


tional data bases for criminal identity theft victims? Is a bill of 
rights the answer? 

Ms. Wallace. I would say the law enforcement community has 
already done the foundation for data-sharing on the Federal level. 
And I would be happy to respond in more detail in writing with 
more information about some of the great projects that we work 
with to share information among Federal and State law enforce- 
ment. 

I am sure the Federal Trade Commission would be happy to pro- 
vide more information about how their Consumer Sentinel Data 
base is used by about 1,400 law enforcement agencies around the 
country at the State, local and Federal level. 

So the foundation is there. But certainly more training, more 
funding, and frankly, more encouragement to do this kind of 
partnering would be very welcome. 

Mr. Clay. Thank you. 

Mr. Handy, H.R. 2221, the Data Accountability and Trust Act 
was introduced in the House by Chairman Bobby Rush of the Sub- 
committee on Commerce, Trade and Consumer Protection. The 
ITRC has been involved in monitoring the legislation as well as 
working with those that have been aggrieved by theft. 

What are your thoughts on this legislation? Does it go far 
enough? Please elaborate. 

Mr. Handy. Our recommendation is that it probably does not go 
far enough when it comes to identity theft regulations. The bill 
itself — and I’m trying to remember when we discussed that exact 
bill; but when it comes to identity theft, we felt there should be a 
general ruling and you should give each State the opportunity to 
go further based on the situation. That was our standpoint on that 
bill. 

So general sentencing, but you want the ability to add more 
based on the situation at hand. 

Mr. Clay. Thank you. 

Mr. Rotenberg, can you comment on the Fair Debt Collection 
Practices Act and its ability to adequately cover identity theft vic- 
tims? And where does your organization fit in this? 

Mr. Rotenberg. Mr. Chairman, we are actually not familiar 
with that legislation, so I don’t think I have a comment on that. 

I did testify on Mr. Rush’s bill, and I think that is good legisla- 
tion. I think it would help reduce some of the problems related to 
identity theft. 

Mr. Clay. All right, thank you for that. 

What policy changes can enhance the support of future research 
on identity theft and its victims, and what specific areas do you see 
as warranting future research? 

Mr. Rotenberg. Well, I think the statistics are very useful. I 
think that the information that the FTC has been collecting over 
the years gives us a clear picture of the problem and some of the 
trends that we need to be aware of. So we certainly support that. 

I think it would be helpful in anticipating some of the new types 
of problems that are about to emerge to expand some of the data 
collection — looking at medical identity theft, for example. And also 
some of the identity theft related to new online services, I think the 
information is very, very helpful. 



142 


Mr. Clay. Ms. Allen, what more can be done by the technology 
community to mitigate identity theft, and what responsibility do 
they have? 

Ms. Allen. This gets back to the issue of cybersecurity breaches, 
the application software — software providers are operating systems 
that have great vulnerabilities — some kind of both accountability or 
perhaps liability on the technology community to be partners with 
the user community in closing those vulnerabilities or finding 
patches that will work more quickly, or staying ahead of some of 
the cybersecurity thieves. 

The way it is right now, the user community pretty much has the 
total responsibility and accountability. 

Mr. Clay. As a final question to the entire panel, give me your 
thoughts on what more can be done to educate the public and law 
enforcement about helping the victims of these crimes, Ms. Allen? 

Ms. Allen. I think showing the link between cybersecurity 
breaches and identity theft will be very important; and as we have 
a cybersecurity czar in the White House, having that is part of the 
mandate. 

Second, in the dialog around a consumer financial protection 
agency, having identity theft and cybersecurity threats be part of 
that dialog. 

Mr. Rotenberg. I think telling people about the very good re- 
sources of the Federal Trade Commission, as well as the resources 
provided by some of the organizations represented on this panel, 
will help consumers. But I do believe very strongly that in this 
area there is only so much the consumers can do. 

I think we need to get to the root of some of these problems 
about computer security, use of the Social Security number, and 
that will have to happen in Congress. 

Mr. Clay. Mr. Rebovich. 

Mr. Rebovich. I think that we have to attack the problem from 
several different areas at once. And in terms of the education of the 
average citizen to prevent victimization, we can’t forget that 
cybersecurity is very important. Many more people are on the 
Internet than ever before. 

But we can’t overlook the fact that many of these cases are low- 
tech cases as well. People can be victimized from not shredding 
personal material. They can be victimized because they don’t have 
a lock box on their mailbox. Many of these offenders that we re- 
search in our study used very low-tech methods. They didn’t have 
to go any further; the opportunities were there. 

So in terms of educating the average citizen, I think we have to 
educate the average citizen on awareness, on how to protect them- 
selves on the Internet and use of computers, but also not forget, 
they have to be certain every day that they are doing everything 
they can to prevent victimization by the use of low-tech methods. 

Mr. Clay. Thank you. 

Ms. Wallace. 

Ms. Wallace. I would agree with most of the comments made 
by the other panelists; that is, the complex nature of identity theft 
makes education extremely difficult because there are so many 
kinds of risks, and it can happen in so many different ways. 



143 


Having said that, I am particularly excited about an initiative 
that we will be launching later this summer focused on youth, an 
audience that perhaps has not been brought into this debate as 
much as they need to be. And so it is a program to help the youth 
who are online on Facebook and YouTube and lots of other places, 
and understand that there are risks indeed in that environment. 

Mr. Handy. From a consumer standpoint, we need more aware- 
ness training and reaching out to the public, for instance, teaching 
people how to read credit reports and what they are supposed to 
do on a yearly basis so they can catch it. 

My theory is, it is not if it is going to happen, it is when it is 
going to happen; so prepare them for what can happen and how to 
defend themselves. And I think we can at least cut down the loss. 
If you catch it early, it is not that bad of an issue. But if you don’t, 
it drags on. 

From a business standpoint, I like what the Federal Government 
has done with FISMA, the scorecards, put some accountability to 
a lot of people, and it seems to work to some degree where people 
will move and make better — they use that in the business world. 

Mr. Clay. I want to thank all of you for your testimony. I find 
this subject to be one of urgency. I find it also to be fascinating that 
in this day and age we haven’t really figured out how to police this 
issue. And as a government, we need to get on top of this and stay 
on top of it. 

And so I appreciate all of your testimony today and the first pan- 
el’s testimony. I am sure that this will not be the last of hearings 
like this on this subject matter. But it is now time for us to act 
as an institution, as a legislative body, to come up with sound law 
based on some of the advice you have brought us today. 

We have been joined by Ms. Watson of California. We were really 
wrapping up, but if you have anything that you want to contribute 
at this time you may, Ms. Watson. 

Ms. Watson. Mr. Chairman, I am always pleased to come to 
your committee. We were invited over to the Senate to meet with 
Senator Reid, and by the time I got there, the meeting had been 
canceled. 

But I do know that the issues that we wanted to raise, I have 
been told that most of the questions have been addressed, so I just 
want to thank you. Sorry to be so late to catch you at the end, but 
do know that I am absolutely interested in the subject matter, and 
I hope to hear more. 

Mr. Clay. Thank you so much. 

This subcommittee hearing stands adjourned. 

[Whereupon, at 4:30 p.m., the subcommittee was adjourned.] 

[The prepared statements of Hon. Diane E. Watson and Hon. 
Patrick T. McHenry follow:] 



144 


Page 1 of 3 

Opening Statement 
Congresswoman Diane E. Watson 
“ identity Theft: A Victim’s Bill of Rights” 

Subcommittee on Information Policy 
Oversight and Government Reform Committee 

Wednesday, Jane 1 7, 2009 
2154 Rayburn HOB 
2:00 P.M. 

Thank you Mr. Chairman for holding today’s 
important hearing on the problem of identity theft, and 
how to improve protections for victims. This hearing 
comes at an opportune moment, as experts predict a 
rise in the number of identity theft victims in upcoming 
years. 


Identity crimes may start with an individual victim, 
but they multiply into large economic and societal costs 
for American families, businesses, and government 



145 


Page 2 of 3 

institutions. I hope that today’s hearing will provide us 
with clear recommendations to improve the rights of 
victims while lessening the frequency and impact of 
these crimes. 

It is estimated that 10 million Americans fell victim 
to identity crimes in 2008, resulting in devastating 
financial, physical, and emotional costs to these 
individuals. These hardships for identity theft victims 
are compounded by widely held misperceptions about 
the depth of these crimes, and a lack of uniform 
protections and services for victims. 


Identity theft victims deserve the same rights as 
other victims of crime; unfortunately victims of identity 



146 


Page 3 of 3 

crimes currently face daunting obstacles when seeking 
restitution and the restoration of their identity. 

Mr. Chairman, I would like to thank today’s 
witnesses for providing us with their testimony. Their 
insights are critical to understanding the complex 
impact of identity theft, and the policies needed to 
ensure victims, businesses, law enforcement, and 
government institutions are empowered with the tools 
necessary to protect victims and to prosecute criminals 
involved in these crimes. 


I yield back the remainder of my time. 



147 


EDOLPHUS TOWNS, NEW YORK 
CHAIRMAN 


DARRELL E. ISSA, CALIFORNIA 
RANKING MINORITY MEMBER 


ONE HUNDRED ELEVENTH CONGRESS 

Congress of tfjc Hmteb States 

Souse of a^eprcsieritatifaes 

COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM 
2157 Rayburn House Office Building 
Washington, DC 20515-6143 


Majority 1202) 225-5051 
Minority 1202)225-5074 


Statement of Rep. Patrick McHenry 
Ranking Republican Member 

Subcommittee on Information Policy, Census, and National Archives 

‘ ‘Identity Theft: Victims Bill of Rights ” 

June 17, 2009 


Thank you, Chairman Clay for holding this hearing. 

Today the Subcommittee examines a growing threat to the American public, the 
nation’s economy, and our national security - identity theft. 

Identity theft is not a new crime. For centuries, people have found ways to 
assume the life or personal attributes of others in their society. Over the years, methods 
and tools have evolved. 

The growth of the internet and globalization, for all its prosperity and innovation, 
has exposed our society to a host of new and evolving threats. No longer bound by the 
physical world, criminals can hide behind false or multiple identities, across international 
borders, and within complex criminal networks. 

The rise of identity theft in the past decade prompted increased national attention. 
From strengthening law enforcement to improving victim assistance, federal and private 
industry actions have improved the nations’ ability to prevent, mitigate, and respond to 
identity theft. 



148 


Javelin Research found that in 2008 an estimated 9.9 million Americans fell 
victim to identity fraud with an approximate loss of $48 billion dollars. Despite a 22% 
increase in incidents, a 3 1 % decline in consumer costs indicates that preventative 
measures are having a positive effect. 

Still, the threat remains and statistics about growing victim rates and multibillion 
dollar effects can spur the interest in legislative or regulatory action. Instead of 
patchwork fixes or burdensome legislation, the nation needs to focus on our strengths, 
and build on our weaknesses, to establish a sound national strategy. 

Already, work in the private sector, particularly in the financial industry, has 
improved consumer protections and victim response. Fostering competition and industry 
communication enables corporations to assume the responsibility for protecting customer 
information and building consumer trust. 

Centralizing data collection and facilitating law enforcement coordination will 
improve our ability to understand trends and target criminals. 

Finally, ensuring that private citizens understand how to safeguard information 
and respond to incidents of fraud is vital to preventing the spread of identity theft. 

Working as a nation we have the tools to develop a coordinated, flexible, and 
responsible strategy. We can learn from experience and our respective strengths to strike 
a balance between federal, corporate, and individual responsibility. 

Thank you again and I look forward to today’s testimony. 


o 



